DetailPage-MSS-KB

Microsoft small business knowledge base

Article ID: 2674445 - Last Review: October 12, 2012 - Revision: 2.0

Symptoms

Consider the following scenario:
  • You have a third-party application that sets an incorrect order for the access control list of a Calendar folder in a mailbox.
  • You move the mailbox that contains the Calendar folder to a Microsoft Exchange Server 2010 mailbox server. The move operation is completed successfully.
  • You try to change the access permission of the Calendar folder by using an Exchange Web Service (EWS) application, or by using a MAPI application, such as Microsoft Outlook.
In this scenario, you cannot change the access permissions of the Calendar folder.

Cause

This issue occurs because of an error when the Exchange store validates canonical access control lists. Therefore, the MAPI or EWS application cannot retrieve the access control list table of the Calendar folder.

Resolution

To resolve this issue, install the following update rollup:
2685289  (http://support.microsoft.com/kb/2685289/ ) Description of Update Rollup 3 for Exchange Server 2010 Service Pack 2

After the update is installed, you can enable the validation of canonical ACLs by configuring a registry key. To have us enable the validation of canonical ACLs for you, go to the "Fix it for me" section. If you prefer to enable the validation of canonical ACLs yourself, go to the "Let me fix it myself" section.

Fix it for me



To enable the validation of canonical ACLs automatically, click the Fix it button or link. Then click Run in the File Download dialog box, and follow the steps in the Fix it wizard.


Collapse this imageExpand this image
Fix this problem (http://go.microsoft.com/?linkid=9818808)
Microsoft Fix it 55003
Collapse this imageExpand this image


Notes
  • Install update that is described in Microsoft Knowledge Base (KB) article 2685289  (http://support.microsoft.com/kb/2685289/ ) before you run this Fix it solution.
  • This wizard may be in English only. However, the automatic fix also works for other language versions of Windows.
  • If you are not on the computer that has the problem, save the Fix it solution to a flash drive or a CD and then run it on the computer that has the problem.

Then, go to the "Did this fix the problem?" section.



Let me fix it myself

To enable the validation of canonical ACLs by configuring a registry key, follow these steps:
  1. Open Registry Editor. To do this, click Start, type regedit in the Start Search box, and then press Enter.
  2. Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\ParametersSystem
  3. On the Edit menu, point to New, and then click DWORD (32 bit) Value.
  4. Type CheckCanonicalACLDuringMove, and then press Enter.
  5. On the Edit menu, click Modify.
  6. In the Value data box, type 1, and then click OK.
  7. Exit Registry Editor.
After the validation of canonical access control lists feature is enabled, you cannot move folders in which the access control list is not in a canonical order. Additionally, you receive the following error message when you try to move the folder:
Error: MapiExceptionInvalidParameter: Unable to set properties on object. (hr=0x80070057, ec=-2147024809)
Diagnostic context:
Lid: 55847 EMSMDBPOOL.EcPoolSessionDoRpc called [length=267]
Lid: 43559 EMSMDBPOOL.EcPoolSessionDoRpc returned [ec=0x0][length=232][latency=0]
Lid: 23226 --- ROP Parse Start ---
Lid: 27962 ROP: ropSetProps [10]
Lid: 17082 ROP Error: 0x80070057
Lid: 30561
Lid: 21921 StoreEc: 0x80070057
Lid: 27962 ROP: ropExtendedError [250]
Lid: 1494 ---- Remote Context Beg ----
Lid: 26426 ROP: ropSetProps [10]
Lid: 21970 StoreEc: 0x8004010F PropTag: 0x668F0040
Lid: 25000
Lid: 24936
Lid: 24952
Lid: 47113
Lid: 7915 StoreEc: 0x80070057
Lid: 5263 StoreEc: 0x80070057
Lid: 19768
Lid: 4559 StoreEc: 0x80070057
Lid: 1750 ---- Remote Context End ----
Lid: 26849
Lid: 21817 ROP Failure: 0x80070057
Lid: 25761
Lid: 1940 StoreEc: 0x80070057
Lid: 25297
Lid: 21201 StoreEc: 0x80070057

Did this fix the problem?

  • Check whether the problem is fixed. If the problem is fixed, you are finished with this section. If the problem is not fixed, you can contact support (http://support.microsoft.com/contactus) .
  • We would appreciate your feedback. To provide feedback or to report any issues with this solution, please leave a comment on the "Fix it for me (http://blogs.technet.com/fixit4me/) " blog or send us an email (mailto:fixit4me@microsoft.com?Subject=KB) .

More information

For more information about access control lists, go to the following Microsoft website:
General information about access control lists (http://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)
For more information about access control entries, go to the following Microsoft website:
General information about access control entries (http://msdn.microsoft.com/en-us/library/windows/desktop/aa374868(v=vs.85).aspx)
For more information about how to use Visual Basic and ADsSecurity.dll to suitably order ACEs in an ACL, go to the following Microsoft website:

Applies to
  • Microsoft Exchange Server 2010 Service Pack 2, when used with:
    • Microsoft Exchange Server 2010 Enterprise
    • Microsoft Exchange Server 2010 Standard
Keywords: 
kbqfe kbfix kbsurveynew kbexpertiseinter kbfixme kbmsifixme KB2674445
Share
Additional support options
Ask The Microsoft Small Business Support Community
Contact Microsoft Small Business Support
Find Microsoft Small Business Support Certified Partner
Find a Microsoft Store For In-Person Small Business Support