A former sysadmin deleted several groups, included Exchange Management Security Groups.

Ir order to repair his error, he tried to execute prepad. Prepad didn't execute correctly ending with this error:

[01/24/2021 17:30:48.0403] [2] [ERROR] Length of the access control list exceed the allowed maximum. [01/24/2021 17:30:48.0403] [2] [WARNING] An unexpected error has occurred and a Watson dump is being generated: Length of the access control list exceed the allowed maximum. [01/24/2021 17:30:50.0794] 1 The following 1 error(s) occurred during task execution: [01/24/2021 17:30:50.0810] 1 0. ErrorRecord: Length of the access control list exceed the allowed maximum. [01/24/2021 17:30:50.0810] 1 0. ErrorRecord: System.OverflowException: Length of the access control list exceed the allowed maximum. at System.Security.AccessControl.RawAcl.InsertAce(Int32 index, GenericAce ace) at System.Security.AccessControl.CommonAcl.AddQualifiedAce(SecurityIdentifier sid, AceQualifier qualifier, Int32 accessMask, AceFlags flags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType) at System.Security.AccessControl.DiscretionaryAcl.AddAccess(AccessControlType accessType, SecurityIdentifier sid, Int32 accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType) at System.Security.AccessControl.DirectoryObjectSecurity.ModifyAccess(AccessControlModification modification, ObjectAccessRule rule, Boolean& modified) at System.Security.AccessControl.DirectoryObjectSecurity.AddAccessRule(ObjectAccessRule rule) at Microsoft.Exchange.Management.Tasks.DirectoryCommon.ApplyAcesOnAcl(TaskVerboseLoggingDelegate verboseLogger, TaskWarningLoggingDelegate warningLogger, ErrorLoggerDelegate errorLogger, String objectIdentityString, ActiveDirectorySecurity acl, Boolean remove, ActiveDirectoryAccessRule[] aces) at Microsoft.Exchange.Management.Tasks.DirectoryCommon.ApplyAcesOnSd(TaskVerboseLoggingDelegate verboseLogger, TaskWarningLoggingDelegate warningLogger, ErrorLoggerDelegate errorLogger, ADObjectId id, RawSecurityDescriptor rsd, Boolean remove, ActiveDirectoryAccessRule[] aces) at Microsoft.Exchange.Management.Tasks.DirectoryCommon.SetAces(TaskVerboseLoggingDelegate verboseLogger, TaskWarningLoggingDelegate warningLogger, ErrorLoggerDelegate errorLogger, ADObject obj, Boolean remove, ActiveDirectoryAccessRule[] aces) at Microsoft.Exchange.Management.Tasks.InitializeDomainPermissions.InternalProcessRecord() at Microsoft.Exchange.Configuration.Tasks.Task.b__b() at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed) at Microsoft.Exchange.Configuration.Tasks.Task.ProcessTaskStage(TaskStage taskStage, Action initFunc, Action mainFunc, Action completeFunc) at Microsoft.Exchange.Configuration.Tasks.Task.ProcessRecord() at System.Management.Automation.CommandProcessor.ProcessRecord() [01/24/2021 17:30:50.0810] 1 [ERROR] The following error was generated when "$error.Clear(); $createTenantRoot = ($RoleIsDatacenter -or $RoleIsPartnerHosted); $createMsoSyncRoot = $RoleIsDatacenter;

#$RoleDatacenterIsManagementForest is set only in Datacenter deployment; interpret its absense as $false [bool]$isManagementForest = ($RoleDatacenterIsManagementForest -eq $true);

if ($RolePrepareAllDomains) { initialize-DomainPermissions -AllDomains:$true -CreateTenantRoot:$createTenantRoot -CreateMsoSyncRoot:$createMsoSyncRoot -IsManagementForest:$isManagementForest; } elseif ($RoleDomain -ne $null) { initialize-DomainPermissions -Domain $RoleDomain -CreateTenantRoot:$createTenantRoot -CreateMsoSyncRoot:$createMsoSyncRoot -IsManagementForest:$isManagementForest; } else { initialize-DomainPermissions -CreateTenantRoot:$createTenantRoot -CreateMsoSyncRoot:$createMsoSyncRoot -IsManagementForest:$isManagementForest; } " was run: "System.OverflowException: Length of the access control list exceed the allowed maximum. at System.Security.AccessControl.RawAcl.InsertAce(Int32 index, GenericAce ace) at System.Security.AccessControl.CommonAcl.AddQualifiedAce(SecurityIdentifier sid, AceQualifier qualifier, Int32 accessMask, AceFlags flags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType) at System.Security.AccessControl.DiscretionaryAcl.AddAccess(AccessControlType accessType, SecurityIdentifier sid, Int32 accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType) at System.Security.AccessControl.DirectoryObjectSecurity.ModifyAccess(AccessControlModification modification, ObjectAccessRule rule, Boolean& modified) at System.Security.AccessControl.DirectoryObjectSecurity.AddAccessRule(ObjectAccessRule rule) at Microsoft.Exchange.Management.Tasks.DirectoryCommon.ApplyAcesOnAcl(TaskVerboseLoggingDelegate verboseLogger, TaskWarningLoggingDelegate warningLogger, ErrorLoggerDelegate errorLogger, String objectIdentityString, ActiveDirectorySecurity acl, Boolean remove, ActiveDirectoryAccessRule[] aces) at Microsoft.Exchange.Management.Tasks.DirectoryCommon.ApplyAcesOnSd(TaskVerboseLoggingDelegate verboseLogger, TaskWarningLoggingDelegate warningLogger, ErrorLoggerDelegate errorLogger, ADObjectId id, RawSecurityDescriptor rsd, Boolean remove, ActiveDirectoryAccessRule[] aces) at Microsoft.Exchange.Management.Tasks.DirectoryCommon.SetAces(TaskVerboseLoggingDelegate verboseLogger, TaskWarningLoggingDelegate warningLogger, ErrorLoggerDelegate errorLogger, ADObject obj, Boolean remove, ActiveDirectoryAccessRule[] aces) at Microsoft.Exchange.Management.Tasks.InitializeDomainPermissions.InternalProcessRecord() at Microsoft.Exchange.Configuration.Tasks.Task.b__b() at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed) at Microsoft.Exchange.Configuration.Tasks.Task.ProcessTaskStage(TaskStage taskStage, Action initFunc, Action mainFunc, Action completeFunc)

The final product was a duplicate management groups with no roles asigned:

Exchange console, permissions

Does any one know if there is a way to assign roles to the new management groups or if prepad have a verbose or debug switch to check the object that it's unable to add acl permission?

any idea is really welcome.

  • 41
  • 6

2 Answers2


prepad? Did you mean Prepare AD?

If so, based on the error in the log and the role groups in your snapshot, the error in the logs seems be caused because the length of syntax which setup.exe used to generate role groups(especially the roles of Organization Management).

And there were duplicated role groups except (Organization Management) created after preparing AD(I guess that this role group is the one which was deleted accidentally). According to your snapshot, these duplicated groups are not assigned the corresponding roles, it means that you could delete them.

For the deleted role group Organization Management, you could manually create a group named Organization Management and assign the default(regular) roles to it in the EAC: Management roles assigned to this role group(Please select/add the regular assignments, and you could also assign some delegating assignments if you want to use certain account to view/modify server settings.). Don't forget to add your original members in Members:

enter image description here

  • 1,323
  • 1
  • 3
  • 4
  • Sorry, yes I mean PrepareAD. – allruiz Feb 03 '21 at 21:51
  • I am not able to add a new admin role. I just have the find and refresh icon if you check the image. – allruiz Feb 03 '21 at 21:52
  • Could you find any role groups which include the role "Role Assignment" if you run the command "Get-ManagementRoleAssignment -Role "Role Management" | ft RoleAssigneeName, Role -AutoSize"? If there are, add your current account as a member of one of these groups via ADUC(After accessing EAC again, your account should have the permissions to create a new role group). – Ivan_Wang Feb 04 '21 at 08:04
  • The command returned nothing, zero, nada. :( – allruiz Feb 05 '21 at 22:51
  • Based on my research, I found a similar thread: (https://social.technet.microsoft.com/Forums/en-US/fccf2640-41ea-47fa-94c4-0dde03aec03e/exchange2013-preparead-error-length-of-the-access-control-list-exceed-the-allowed-maximum?forum=exchangesvrgeneral), try to use ldp and see if there is any difference. – Ivan_Wang Feb 09 '21 at 10:16
  • @allruiz, hi, i'm here to confirm the progress of your thread, has your problem been fixed? If so, you could mark the best answer or share your solutions. – Ivan_Wang Feb 24 '21 at 01:54
  • We had to clean several ACLs to PrepareAD to finish correctly. After that compare the membership of the new Management Role Groups with the old ones in the AD groups. Remove the old groups and rename the new ones. – allruiz Jul 14 '21 at 19:46

Update : I was finally able to update Exchange. In order to complete this I had to do a couple things. I replace the HomeMDB attribute with the info for DB02. The mailboxes did have this filled but it was for DB01 which is no longer being used and could not mount. I didn't realize this as the server is only used for creating users and distribution groups and syncing them to O365. This DB basically has nothing on it. I also was told by a colleague that the system and discovery mailboxes needed to be disabled to complete the update. This explains the part of the error that says "The user's Active Directory account must be logon-disabled for linked, shared, or resource mailbox" I understood this as the user running the update or a service account being used.