Deleted Administrative group exchange 2013

Allan Ruiz 11 Reputation points
2021-02-01T22:53:06.733+00:00

After a former administrator deleted several security groups involving exchange wellknown objects. We tried to recover executing prepad.

Prepad failed for a ACL overflow:

[01/24/2021 17:30:48.0403] [2] [ERROR] Length of the access control list exceed the allowed maximum.
[01/24/2021 17:30:48.0403] [2] [WARNING] An unexpected error has occurred and a Watson dump is being generated: Length of the access control list exceed the allowed maximum.
01/24/2021 17:30:50.0794 The following 1 error(s) occurred during task execution:
01/24/2021 17:30:50.0810 0. ErrorRecord: Length of the access control list exceed the allowed maximum.
01/24/2021 17:30:50.0810 0. ErrorRecord: System.OverflowException: Length of the access control list exceed the allowed maximum.
at System.Security.AccessControl.RawAcl.InsertAce(Int32 index, GenericAce ace)
at System.Security.AccessControl.CommonAcl.AddQualifiedAce(SecurityIdentifier sid, AceQualifier qualifier, Int32 accessMask, AceFlags flags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType)
at System.Security.AccessControl.DiscretionaryAcl.AddAccess(AccessControlType accessType, SecurityIdentifier sid, Int32 accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType)
at System.Security.AccessControl.DirectoryObjectSecurity.ModifyAccess(AccessControlModification modification, ObjectAccessRule rule, Boolean& modified)
at System.Security.AccessControl.DirectoryObjectSecurity.AddAccessRule(ObjectAccessRule rule)
at Microsoft.Exchange.Management.Tasks.DirectoryCommon.ApplyAcesOnAcl(TaskVerboseLoggingDelegate verboseLogger, TaskWarningLoggingDelegate warningLogger, ErrorLoggerDelegate errorLogger, String objectIdentityString, ActiveDirectorySecurity acl, Boolean remove, ActiveDirectoryAccessRule[] aces)
at Microsoft.Exchange.Management.Tasks.DirectoryCommon.ApplyAcesOnSd(TaskVerboseLoggingDelegate verboseLogger, TaskWarningLoggingDelegate warningLogger, ErrorLoggerDelegate errorLogger, ADObjectId id, RawSecurityDescriptor rsd, Boolean remove, ActiveDirectoryAccessRule[] aces)
at Microsoft.Exchange.Management.Tasks.DirectoryCommon.SetAces(TaskVerboseLoggingDelegate verboseLogger, TaskWarningLoggingDelegate warningLogger, ErrorLoggerDelegate errorLogger, ADObject obj, Boolean remove, ActiveDirectoryAccessRule[] aces)
at Microsoft.Exchange.Management.Tasks.InitializeDomainPermissions.InternalProcessRecord()
at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__b()
at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)
at Microsoft.Exchange.Configuration.Tasks.Task.ProcessTaskStage(TaskStage taskStage, Action initFunc, Action mainFunc, Action completeFunc)
at Microsoft.Exchange.Configuration.Tasks.Task.ProcessRecord()
at System.Management.Automation.CommandProcessor.ProcessRecord()
01/24/2021 17:30:50.0810 [ERROR] The following error was generated when "$error.Clear();
$createTenantRoot = ($RoleIsDatacenter -or $RoleIsPartnerHosted);
$createMsoSyncRoot = $RoleIsDatacenter;

$RoleDatacenterIsManagementForest is set only in Datacenter deployment; interpret its absense as $false

[bool]$isManagementForest = ($RoleDatacenterIsManagementForest -eq $true);

if ($RolePrepareAllDomains)
{
initialize-DomainPermissions -AllDomains:$true -CreateTenantRoot:$createTenantRoot -CreateMsoSyncRoot:$createMsoSyncRoot -IsManagementForest:$isManagementForest;
}
elseif ($RoleDomain -ne $null)
{
initialize-DomainPermissions -Domain $RoleDomain -CreateTenantRoot:$createTenantRoot -CreateMsoSyncRoot:$createMsoSyncRoot -IsManagementForest:$isManagementForest;
}
else
{
initialize-DomainPermissions -CreateTenantRoot:$createTenantRoot -CreateMsoSyncRoot:$createMsoSyncRoot -IsManagementForest:$isManagementForest;
}
" was run: "System.OverflowException: Length of the access control list exceed the allowed maximum.
at System.Security.AccessControl.RawAcl.InsertAce(Int32 index, GenericAce ace)
at System.Security.AccessControl.CommonAcl.AddQualifiedAce(SecurityIdentifier sid, AceQualifier qualifier, Int32 accessMask, AceFlags flags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType)
at System.Security.AccessControl.DiscretionaryAcl.AddAccess(AccessControlType accessType, SecurityIdentifier sid, Int32 accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType)
at System.Security.AccessControl.DirectoryObjectSecurity.ModifyAccess(AccessControlModification modification, ObjectAccessRule rule, Boolean& modified)
at System.Security.AccessControl.DirectoryObjectSecurity.AddAccessRule(ObjectAccessRule rule)
at Microsoft.Exchange.Management.Tasks.DirectoryCommon.ApplyAcesOnAcl(TaskVerboseLoggingDelegate verboseLogger, TaskWarningLoggingDelegate warningLogger, ErrorLoggerDelegate errorLogger, String objectIdentityString, ActiveDirectorySecurity acl, Boolean remove, ActiveDirectoryAccessRule[] aces)
at Microsoft.Exchange.Management.Tasks.DirectoryCommon.ApplyAcesOnSd(TaskVerboseLoggingDelegate verboseLogger, TaskWarningLoggingDelegate warningLogger, ErrorLoggerDelegate errorLogger, ADObjectId id, RawSecurityDescriptor rsd, Boolean remove, ActiveDirectoryAccessRule[] aces)
at Microsoft.Exchange.Management.Tasks.DirectoryCommon.SetAces(TaskVerboseLoggingDelegate verboseLogger, TaskWarningLoggingDelegate warningLogger, ErrorLoggerDelegate errorLogger, ADObject obj, Boolean remove, ActiveDirectoryAccessRule[] aces)
at Microsoft.Exchange.Management.Tasks.InitializeDomainPermissions.InternalProcessRecord()
at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__b()
at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)
at Microsoft.Exchange.Configuration.Tasks.Task.ProcessTaskStage(TaskStage taskStage, Action initFunc, Action mainFunc, Action completeFunc)

After been unable to complete the prepad run, we got our management groups duplicated with no roles asigned to them:
62656-screen-shot-2021-02-01-at-160202.png

Does anyone know if there a way to manually assign the roles to the new group?

Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
2,162 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Andy David - MVP 150.4K Reputation points MVP
    2021-02-01T23:09:37.743+00:00

    You can click on that and add the roles.

    Double Click on the role and hit the plus side to add

    62695-image.png

    0 comments No comments

  2. Kael Yao-MSFT 37,661 Reputation points Microsoft Vendor
    2021-02-02T09:15:51.767+00:00

    Hi, @Allan Ruiz
    From the screenshot, it seems the default "Organization Management" role group was deleted.
    You may refer to this document about the detailed information of the roles assigned to this group: Organization Management


    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.