Share via

A security group does not have sufficient rights to an OAB folder

[This topic is intended to address a specific issue called out by the Exchange Server Analyzer Tool. You should apply it only to systems that have had the Exchange Server Analyzer Tool run against them and are experiencing that specific issue. The Exchange Server Analyzer Tool, available as a free download, remotely collects configuration data from each server in the topology and automatically analyzes the data. The resulting report details important configuration issues, potential problems, and nondefault product settings. By following these recommendations, you can achieve better performance, scalability, reliability, and uptime. For more information about the tool or to download the latest versions, see "Microsoft Exchange Analyzers" at]  

Topic Last Modified: 2010-09-15

The Microsoft Exchange Best Practices Analyzer examines security permissions on the %PROGRAMFILES%\Microsoft\Exchange\ClientAccess\OAB\<GUID> folders on Microsoft Exchange Server 2007 and Microsoft Exchange server 2010 Client Access servers. The Analyzer tool performs this operation to determine whether particular security groups have the appropriate rights assigned. Specifically, the tool examines the permissions for the folders in the following table.

Security group Permission requirement

Authenticated Users


Enterprise Admins


Domain Admins


Exchange Organization Administrators (This group is on Exchange Server 2007 only.)


Exchange Organization Management (This group is on Exchange Server 2010 only.)


Exchange Servers

Full Control


Full Control

If the Analyzer tool determines that incorrect permissions are assigned to a group, the tool generates the following error message:

'<GroupName>' does not have '<RequiredPermission>' permission of folder '<OfflineAddressBookPath>' on server <ServerName>. This will cause clients to fail to download Offline Address Book via HTTP(s). Please add '<RequiredPermission>' permission of this folder to this group.

In Exchange 2007 and in Exchange 2010, the Microsoft Exchange System Attendant service that runs on mailbox servers generates Offline Address Book (OAB) data. Also, the Microsoft Exchange System Attendant service publishes the data files to a network share. By default, this network share is \\<ServerName>\ExchangeOAB. The OAB files are published to folders that are represented by GUIDs.

Because you can install Exchange 2007 or Exchange 2010 without public folder databases, no public folder distribution mechanism may be available for OABs. Instead, Exchange 2007 or Exchange 2010 uses HTTP-based or HTTPS-based OAB distribution. On Client Access servers, the Microsoft Exchange File Distribution service (MSExchangeFDS.exe) is responsible for keeping the local OAB files synchronized with the copies on the Mailbox server.

The Microsoft Exchange File Distribution Service on each Client Access server picks up the OAB files from the file share and copies them to the local virtual directory. Typically, this virtual directory is named /Oab.

Microsoft Office Outlook 2007 obtains a URL that points to the .xml index of the OAB data files, also known as the OAB manifest, and then retrieves the OAB data files.


The URL to the OAB manifest is provided by the Autodiscover service. This URL may resemble<GUID>/oab.xml.

If incorrect or insufficient permissions are configured on the %PROGRAMFILES%\Microsoft\Exchange\ClientAccess\OAB\<GUID> folders on the Client Access server, Outlook clients cannot use the HTTP protocol or the HTTPS protocol to download the OAB.

To address this issue, modify the permissions on the OAB-related folders.

To modify folder permissions

  1. On the Client Access server, start Windows Explorer, and then locate the following folder:



    Modify this path as appropriate for your Exchange installation directory.

  2. In the right pane, right-click an OAB folder (represented by a GUID), and then click Properties.

  3. Click the Security tab, and then modify the permissions as shown in the table that appears earlier in this topic.

  4. When you have finished modifying the OAB folder permissions, click OK.

For More Information

For more information about OAB distribution, see the following Exchange Server Team Blog articles:


The content of each blog and its URL are subject to change without notice. The content within each blog is provided "AS IS" with no warranties, and confers no rights. Use of included script samples or code is subject to the terms specified in the Microsoft Terms of Use.