Consider the following scenario:
- You have a third-party application that sets an incorrect order for the access control list of a Calendar folder in a mailbox.
- You move the mailbox that contains the Calendar folder to a Microsoft Exchange Server 2010 mailbox server. The move operation is completed successfully.
- You try to change the access permission of the Calendar folder by using an Exchange Web Service (EWS) application, or by using a MAPI application, such as Microsoft Outlook.
In this scenario, you cannot change the access permissions of the Calendar folder.
This issue occurs because of an error when the Exchange store validates canonical access control lists. Therefore, the MAPI or EWS application cannot retrieve the access control list table of the Calendar folder.
To resolve this issue, install the following update rollup:
Description of Update Rollup 3 for Exchange Server 2010 Service Pack 2
After the update is installed, you can enable the validation of canonical ACLs by configuring a registry key. To have us enable the validation of canonical ACLs for you, go to the "Fix it for me
" section. If you prefer to enable the validation of canonical ACLs yourself, go to the "Let me fix it myself
Fix it for me
To enable the validation of canonical ACLs automatically, click the Fix it
button or link. Then click Run
in the File Download
dialog box, and follow the steps in the Fix it
Fix this problem
Microsoft Fix it 55003
Collapse this imageExpand this image
Collapse this imageExpand this image
- Install update that is described in Microsoft Knowledge Base (KB) article 2685289
before you run this Fix it solution.
- This wizard may be in English only. However, the automatic fix also works for other language versions of Windows.
- If you are not on the computer that has the problem, save the Fix it solution to a flash drive or a CD and then run it on the computer that has the problem.
Then, go to the "Did this fix the problem?
Let me fix it myself
To enable the validation of canonical ACLs by configuring a registry key, follow these steps:
- Open Registry Editor. To do this, click Start, type regedit in the Start Search box, and then press Enter.
- Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\ParametersSystem
- On the Edit menu, point to New, and then click DWORD (32 bit) Value.
- Type CheckCanonicalACLDuringMove, and then press Enter.
- On the Edit menu, click Modify.
- In the Value data box, type 1, and then click OK.
- Exit Registry Editor.
After the validation of canonical access control lists feature is enabled, you cannot move folders in which the access control list is not in a canonical order. Additionally, you receive the following error message when you try to move the folder:
Error: MapiExceptionInvalidParameter: Unable to set properties on object. (hr=0x80070057, ec=-2147024809)
Lid: 55847 EMSMDBPOOL.EcPoolSessionDoRpc called [length=267]
Lid: 43559 EMSMDBPOOL.EcPoolSessionDoRpc returned [ec=0x0][length=232][latency=0]
Lid: 23226 --- ROP Parse Start ---
Lid: 27962 ROP: ropSetProps 
Lid: 17082 ROP Error: 0x80070057
Lid: 21921 StoreEc: 0x80070057
Lid: 27962 ROP: ropExtendedError 
Lid: 1494 ---- Remote Context Beg ----
Lid: 26426 ROP: ropSetProps 
Lid: 21970 StoreEc: 0x8004010F PropTag: 0x668F0040
Lid: 7915 StoreEc: 0x80070057
Lid: 5263 StoreEc: 0x80070057
Lid: 4559 StoreEc: 0x80070057
Lid: 1750 ---- Remote Context End ----
Lid: 21817 ROP Failure: 0x80070057
Lid: 1940 StoreEc: 0x80070057
Lid: 21201 StoreEc: 0x80070057
Did this fix the problem?
- Check whether the problem is fixed. If the problem is fixed, you are finished with this section. If the problem is not fixed, you can contact support
- We would appreciate your feedback. To provide feedback or to report any issues with this solution, please leave a comment on the "Fix it for me
" blog or send us an email
For more information about access control lists, go to the following Microsoft website:
For more information about access control entries, go to the following Microsoft website:
For more information about how to use Visual Basic and ADsSecurity.dll to suitably order ACEs in an ACL, go to the following Microsoft website: