22 C
Dubai
Sunday, December 22, 2024

Exchange Control Panel Error Access Control entry not resolved

When ever you login to Exchange Control Panel ,  you will get a error on Delegation Tab

The Object user has been corrupted or isn’t compatible with Microsoft Support Requirement and it’s in an inconsistent state. The Following validation errors happened

Warning
The object azure365pro.com/user/test has been corrupted or isn’t compatible with Microsoft support requirements, and it’s in an inconsistent state. The following validation errors happened:
The access control entry defines the ObjectType ‘d819615a-3b9b-4738-b47e-f1bd8e000ea4’ that can’t be resolved..
The access control entry defines the ObjectType ‘e2d6986b-2c7f-4cda-9851-d50003fb6706’ that can’t be resolved..

image

Get-AdPermission "DC=Azure365pro,DC=com"

image

image

Warning
The object azure365pro.com/user/test has been corrupted or isn’t compatible with Microsoft support requirements, and it’s in an inconsistent state. The following validation errors happened

The access control entry defines the ObjectType ‘d819615a-3b9b-4738-b47e-f1bd8e000ea4’ that can’t be resolved..

Get the corrupted Access Control Entry object value place in below command and run it.

Get-ACl "AD:\DC=Azure365pro,DC=com" | Select Access -ExpandProperty Access | Where-Object {$_.ObjectType -eq "e2d6986b-4505059851-d5b5f3fb6706"} 

Now Its points to a null reference which is a SID value. if you see a valid object. action only on that object. in my case its inheriting from the root domain.

image

Open Active Directory users and computers

Make sure Advanced Features is checked – Right Click on the root domain properties

imageimage

Check list –

  • No connectivity problems between domain controllers
  • Windows will show “Account Unknown” if it can’t connect to a Active Directory Server
  • if you have multiple domains or trust relation ships it might take a few moments or connectivity between them domains may cause account showing unknown
  • Have a good system state backup . Whatsoever permissions cannot be reverted backup unless you use tools like icacls.exe to backup permissions. Still it can’t be applied back as these objects doesn’t exist.

Most of the Old SID may show because of account being removed and permission was not able to remove by active directory.

Example –

Account Unknown (S-1-5-21-#########-#########-#########-1835)
Account Unknown (S-1-5-21-#########-#########-#########-1835)

Once you confirm above 100 % . Permissions are the most risky part in active directory. take extreme care when you touch permissions on the root domain.

Security – Advanced –

Removed the objects listed in identity reference In my case first identity reference was listed 5 times and second reference was listed 3 times.

Removed them safely.

Click on Apply.

Prompt Appears on Changing 80 to 90 permissions _ Clicked Yes.

image

It resolved the delegation error on Exchange Control Panel

Satheshwaran Manoharan
Satheshwaran Manoharanhttps://www.azure365pro.com
Award-winning Technology Leader with a wealth of experience running large teams and diversified industry exposure in cloud computing. From shipping lines to rolling stocks.In-depth expertise in driving cloud adoption strategies and modernizing systems to cloud native. Specialized in Microsoft Cloud, DevOps, and Microsoft 365 Stack and conducted numerous successful projects worldwide. Also, Acting as a Technical Advisor for various start-ups.

Related Articles

1 COMMENT

LEAVE A REPLY

Please enter your comment!
Please enter your name here

× How can I help you?