0 votes


After migrating users from Exchange 2007 On premise to Exchange Online, we experience a problem viewing/managing full Access permissions for some of the mailboxes.

We get the error: Failed to get mailbox rights. Some or all identity references could not be translated.

Using the Exchange Online admin tools, we can see everything just fine. Using PowerShell in a remote session, we see something similar to:

PS Z:\> get-mailbox teuser |Get-MailboxPermission |ft -AutoSize -Wrap

Identity User AccessRights IsInherited Deny
-------- ---- ------------ ----------- ----
User, Test NT AUTHORITY\SELF {FullAccess, SendAs, ReadPermission} False False
User, Test NAMPRD08\Administrator {FullAccess} True True
User, Test NAMPRD08\Domain Admins {FullAccess} True True
User, Test NAMPRD08\Enterprise Admins {FullAccess} True True
User, Test NAMPRD08\Organization Management {FullAccess} True True
User, Test NT AUTHORITY\SYSTEM {FullAccess} True False
User, Test NT AUTHORITY\NETWORK SERVICE {ReadPermission} True False
User, Test NAMPRD08\Administrator {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner} True False
User, Test NAMPRD08\Domain Admins {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner} True False
User, Test NAMPRD08\Enterprise Admins {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner} True False
User, Test NAMPRD08\Organization Management {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner} True False
User, Test NAMPRD08\Public Folder Management {ReadPermission} True False
User, Test NAMPRD08\Exchange Servers {FullAccess, ReadPermission} True False
User, Test NAMPRD08\Exchange Trusted Subsystem {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner} True False
User, Test NAMPRD08\Managed Availability Servers {ReadPermission} True False
User, Test PRDMGT01\View-Only Organization Management {ReadPermission} True False

These appear to be the same set of permissions found on users that we can successfully manage through Adaxes.

Any ideas?

by (710 points)

1 Answer

0 votes
by (1.8k points)
selected by
Best answer

I had the exact same problem a while back, but that was caused by a corrupt owner on a few mailboxes.
However you can test the same solution on a mailbox and see if you have the same error. I believe our issue also occured after a migration.

Try running the following powershell command towards one of the mailboxes that has the problem:

Add-mailboxpermission "Name of the mailbox" -Owner "nt authority\self"


As odsven already managed, the issue can be caused by corrupt owners of the failing mailboxes. Most typically, this occurs with migrated mailboxes. To check this, you can try running the following command in the Exchange Management Shell:

Get-MailboxPermission -Identity "CN=John Doe,OU=New York Office,DC=example,DC=com" -Owner:$True

where CN=John Doe,OU=New York Office,DC=example,DC=com is the Distinguished Name (DN) of a user that you are having issues with.

If you are getting the same error as with Adaxes, try running the same command but without the -Owner:$True part. If, on this run, you don't receive the error, then you are having an issue with corrupted mailbox owners. You'll need to repair the mailboxes that give such an error.

Related questions

0 votes
1 answer

We're trying to add a Send As permission in the properties for a group through Adaxes. It works for Send on Behalf, but whenever we try to add Send As delegation in Adaxes, ... (#Ze operation) at #re.#qe.Execute() --- End of inner exception stack trace ---

asked May 21, 2019 by rmoat (50 points)
0 votes
1 answer

Is there a way to use the built-in "Modify Exchange Properties" action to add a mailbox delegate that only resides in the cloud? We can do it via a powershell script, but I ... action. For example, I want to add "Company Administrator" to a user via the GUI:

asked Sep 14, 2015 by yourpp (540 points)
0 votes
1 answer

We are getting the following error when running the Expired Passwords report. Running the report as a full admin works. I believe the error has to do with permissions but not sure which ones are needed to view this report.

asked Sep 16, 2013 by jheisley (590 points)
0 votes
1 answer

Hi, I am looking to build a report whereby all users within a specific OU (Disabled and forwarding). The report will return users who have been inactive for 90 days along with ... do this. Could someone give me the script to be able to do this please? Thanks!

asked Dec 20, 2022 by gareth.aylward (180 points)
+1 vote
1 answer

Hello All, it is possible to configure SMTP mail setting using Exchange Online with modern authentication and Azure security defaults enabled? Currently I have setup local IIS ... defaults but I would like to connect to my more secured tenant. Regards Ivaylo

asked Dec 6, 2022 by ivaylo.valkov (100 points)
3,064 questions
2,777 answers
430,124 users