Error when you move a mailbox in an Exchange Server 2013 environment: Cannot set folder security descriptor with non-canonical ACL
Original KB number: 2764844
Symptoms
When you try to move a mailbox in a Microsoft Exchange Server 2013 environment, you receive the following error message:
Error: Cannot set folder security descriptor with non-canonical ACL.
Cause
This issue occurs because the mailbox has a corrupted access control list (ACL).
Resolution
To resolve this issue, follow these steps:
Run the following commands to identify the ACL that causes this issue:
$mr = get-moverequeststatistics -IncludeReport <mailboxIdentity> $mr.Report.FailuresRemove the corrupted ACL by using the ExFolders tool.
Workaround
To work around this issue, run the following new-MoveRequest cmdlet together with the -SkipMoving:FolderACls switch:
New-moverequest -Identity <username> -Target Database "database name" -SkipMoving:FolderViews
Note
When you move the mailbox by using the -SkipMoving:FolderACls switch, Exchange Server 2013 doesn't move the ACLs of the folders in the mailbox. Therefore, after you move the mailbox, all the folders have default permissions.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for