When new mailbox created getting below error.
Active Directory operation failed on ad.domain.local. This error is not retriable. Additional information:
Access is denied.
Active directory response: 00000005: SecErr: DSID-031A1256, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
+ CategoryInfo : NotSpecified: (:) [New-Mailbox], ADOperationException
+ FullyQualifiedErrorId : [Server=exchange,RequestId=69610c9c-7840-4531-8193-bf1658170089,TimeStamp=5/25/2017 5:32:
27 AM] [FailureCategory=Cmdlet-ADOperationException] BCCD1276,Microsoft.Exchange.Management.RecipientTasks.NewMail
+ PSComputerName : exchange.domain.local
1. On a domain controller for ECSC logged in with domain admin credentials, open “Active Directory Users and Computers”
2. Turn on Advanced features: View, Advanced features (should be checked when on)
3. Right click the Domain object, then click properties
4. In the properties windows, select “Security Tab”
5. Click advanced should look similar to:
6. To add the missing rights, click add
7. In “Enter the object name to select”, type: Authenticated Users then click “OK”
8. In the “Permissions Entry…” change Applly to: “This object only” and check Allow for “Unexpire password” and “Update password not required bit” like this:
9. Click “OK”
10. Click “OK” on the Advanced Security Settings
11. Click “OK” on the Domain Properties
12. To test, open LDP under the system context on the Exchange server, connect to the DC you made the changes on, and attempt to set the pwdLastSet to -1
13. Once domain replication is completed, this the new-mailbox command should work.
14. If 12 worked, please test the new-mailbox command
If it still doesn’t work, please post out the detailed event error message of this event.
Source credits : https://social.technet.microsoft.com/Forums/office/en-US/ea7b5f74-84db-4046-af0c-b742a77f47ac/unable-to-create-new-mailbox-permission-error?forum=Exch2016Adm#714946f0-aa0e-4c06-ac57-48504de9e7c6