We encountered an error today at my client site. When an administrator tried to add an e-mail address to mail-enabled user from their workstation using Active Directory Users and Computers, the encountered an error c10308a2.
The error is documented in KB article 905809.
My client was confused after looking at the article and needed some help interpreting the information and find out what he needed to do to fix the issue.
We first assigned the permissions to Service Control Manager as mentioned in Method 1. This is essential of the Network Trace shows the errors when call to Service Control Manager fails.
After this, the error persisted. Which indicates that user does not have permissions to access msExchangeSA service. The figure below shows the error as captured by Network Monitor.
At this point, you need to follow Method 2 mentioned in KB article. You can either create a new GPO or edit an existing GPO that applies to your Exchange servers. Once user or group the user is member of is assigned read permissions to System Attendant service, and GPO is effectively applied to the exchange servers, administrative user should be able to successfully edit or add e-mail addresses to mail-enabled users.
If you are interested in learning what happens behind the scenes when you add an e-mail address to a user account, Ben Winzenz has wrote an article about it at The Microsoft Exchange Team Blog.
One more thing. If Network trace shows LDAP payload as encrypted, it may not help you understand what is going on within LDAP queries.
Ben shines again here and has written an article about how to disable LDAP encryption and signing on an Exchange server.
Quote of the day:
I know that you believe that you understood what you think I said, but I am not sure you realize that what you heard is not what I meant. – Robert McCloskey