How to Recreate Corrupted Microsoft Security Groups in Exchange 2010

Some Times Reinstalling Exchange 2010 Corrupts the Security Groups or It will Duplicate the Security Groups.

Creating Console Permission issues or Role may not load properly or User Might get Access Denied Error.

We will learn how to cleanup and recreate Microsoft Exchange Security Groups as a last option.

We will delete all the Security Groups in the Microsoft Exchange Security Groups Container.

Now Running Setup.com /preparead won’t allow you to recreate it as OtherWellKnownObjects attribute on the Microsoft Exchange Container will be pointing to Deleted Objects , It has to be Removed

It cannot be Removed via Adsiedit

And we got to Use LDP to Clear the attribute

Those who are new to LDP, Am not able to edit the OtherWellKnownObjects in Adsiedit as Shown Below . So am Using LDP

Start –> Run –> LDP

Click Connection – Connect –

Click Ok if you running on the Server itself

View –> Tree

Choose –> Configuration Container

Now You won’t be Expand it . Unless you Bind it

Connection –> Bind

Double Click on Configuration –> To Expand

Scroll down to Microsoft Exchange Container –> Right Click –> Modify

Now we got to Edit OtherWellKnownObject attribute

Attribute – > OtherWellKnownObject

Values –>

Choose Replace

Click On Enter

Now Empty Value has been Added –

Click Run

Now you could see Other Well known Objects have been Cleared

Now Setup.com /preparead is successful

Now Security Groups are back

Now Console and Exchange Management Shell may not open

Or It may show Partial information.

Because the Role Base Access Control Information is lost as Security Groups have been deleted and Recreated

Showing Partial Information –

Or Role May not Load Properly

To get the Roles Installed Back for the Users

Add-PSSnapin *Setup

Install-CannedRbacRoleAssignments –InvocationMode Install

Now Exchange Management Console and Exchange Management Shell is back online

Now Still you might not be able to Create or Remove are Edit anything in the EMC or EMS

you will get an Error

Active Directory operation failed on DC.CareExchange.in . This error is not retriable. Additional information: Access is denied. Active directory response: 00000005: SecErr: DSID-03151E04, problem 4003 (INSUFF_ACCESS_RIGHTS)

Because the group memberships might have been removed

Add the Exchange Server Computer Account in Exchange Servers Group & Exchange Trusted Subsystem Group

Now you got to reboot the Exchange Server after adding it , To update Group memberships

27 COMMENTS

Creig June 1, 2012 At 6:24 pm

Nice One

Arun June 1, 2012 At 6:26 pm

Great One !!

Mike June 1, 2012 At 6:28 pm

Thanks for the post

Sunder June 1, 2012 At 9:40 pm

Good one Sathesh.

Administrator June 1, 2012 At 9:54 pm

Thanks Sunder !!

Alan June 10, 2012 At 3:11 am

Thanks a lot for this article

f2p mmo July 10, 2012 At 6:23 pm

salutations from over the ocean. interesting blog I shall return for more.

like this September 21, 2012 At 4:49 pm

bonjour I’m Sarah I’m such a air head but I still really loved your blog

love this September 21, 2012 At 9:13 pm

I came here hunting something else, but this enlightened me regardless. Inspiring stuff!

Chadwick Gaeta September 22, 2012 At 3:45 am

I just want to mention I am beginner to weblog and definitely liked your web-site. Very likely I’m want to bookmark your blog . You surely have really good well written articles. Thanks a bunch for sharing your blog.

Mrs J Russell October 2, 2012 At 4:28 pm

Well said. Thanks so much!

Fábio Augusto November 25, 2012 At 8:07 am

Thank you,

But please fix

Attribute – > OtherWellKnownObject ERROR
Attribute – > OtherWellKnownObjects OK

- Satheshwaran Manoharan November 26, 2012 At 7:34 pm
  
  Do you have Deleted Entries in OtherWellKnownObject attribute ?
  
Pranav Kumar Sharma November 27, 2012 At 12:55 am

This Blog was very help full. Thanks a lot Sathesh.

- Satheshwaran Manoharan November 27, 2012 At 8:32 am
  
  You are most welcome Pranav !!
  
martien February 5, 2014 At 8:18 am

Thanks for this article!
Please fix Install-CannedRbacRoleAssigments –InvocationMode Install
You are missing a letter in Assignments!

- Satheshwaran Manoharan February 5, 2014 At 10:59 am
  
  Updated , Thanks Martien
  
JR Velasco September 20, 2014 At 5:34 pm

Thank you so much… saved my ass off today.. Lol

Sherif October 15, 2014 At 1:50 pm

thank you so much i have the same problem the problem mass is
Organization Preparation ……………………. FAILED
The following error was generated when “$error.Clear(); initialize-ExchangeUniversalGroups -DomainController $RoleDomainController” was run: “The well-known object entry B:32:B3DDC6BE2A3BE84B97EB2DCE9477E389:CN=Help DeskADE
L:4cf9ed94-9d99-4d1e-8e7a-95ed2c86fd5d,CN=Deleted Objects,DC=DeltaAromatic,DC=com on the otherWellKnownObjects attribute in the container object CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=DeltaAromatic,DC=com points to
an invalid DN or a deleted object. Remove the entry, and then rerun the task.”.

so in active directory in Microsoft exchange security group i con see the HelpDesk Group

note : i install the exchange 2010 before and uninstall but i cannot install in the same active directory agin

- Sherif November 17, 2014 At 10:40 am
  
  thank you so much but i have another problem in the last time i have a exchange 2010 but he has a corropted so i am delete it and run the installation agian after the instaaltion is finished all the users they moved to exchange 2010 still in exchange 2010 but actually the mailbox is in exchange 2003 i tray to move it again i can not so how to i clean active from all exchange 2010 object
  
- Satheshwaran Manoharan January 7, 2015 At 4:31 am
  
  Thank you for your inputs Sherif
  
Server System Engineer December 23, 2014 At 2:53 am

Hi Satheshwaran,

I’m stuck in the similar situation when performing Exchange Server 2010 SP3 upgrade as follows:

Organization Preparation FAILED The following error was generated when “$error.Clear();
initialize-ExchangeUniversalGroups -DomainController $RoleDomainController -ActiveDirectorySplitPermissions $RoleActiveDirectorySplitPermissions” was run: “Active Directory operation failed on PRODDC01.MyDomain.com. The object ‘OU=Microsoft Exchange Security Groups,DC=MyDomain,DC=com’ already exists.”.

[12/22/2014 18:01:11.0158] [1] [ERROR] Active Directory operation failed on PRODDC01.MyDomain.com. The object ‘OU=Microsoft Exchange Security Groups,DC=MyDomain,DC=com’ already exists.
[12/22/2014 18:01:11.0158] [1] [ERROR] The object exists.
[12/22/2014 18:01:11.0158] [1] [ERROR-REFERENCE] Id=443949901 Component=

So in this case can I safely recreate all of those missing Security Groups such as:

“Exchange Organization Administrators”
“Microsoft Exchange Security Groups”
“Organization Management”

using your steps above without causing email flow or service delivery issue ?

www.infotiger.com March 30, 2016 At 1:03 pm

There’s definately a lot to find outt about tis subject. I
love all the points you made.

ShelbyUObeng August 16, 2016 At 3:49 pm

I tend not to have any idea the way i wound up here,
however i thought this post was good. I tend
not to know what you are about but certainly you’re attending
a famous blogger if you aren’t already 😉 Cheers!

Me September 22, 2016 At 12:56 am

This was a huge help

Rodrigo November 7, 2016 At 11:09 pm

Hi – what about recreating default domain permissions? someone reset domain object to Default Permissions and I lost all Exchange Groups Assignment. Is this process god to recover this? My exchange works but I have a lot of issues with permissions with OWA or ActiveSync access and move mailbox.

- Satheshwaran Manoharan November 9, 2016 At 8:10 am
  
  Running Prepare AD. Fixes Active directory Permissions