Question : OWA 2007: "The administrative limit for this request was exceeded"

Mailbox migrated from 2003 to 2007 cannot access OWA any more (had worked previously)
After supplying credentials, there is a prompt to select language and time zone. Clicking OK results in the error.

OWA enabled on mailbox object
Doesn't matter which CAS is used to make the OWA connection
Gave another account Full Access to this mailbox - same error trying to access it via Webmail
No other accounts have this problem, including other users on same mailstore
Only notable thing about this account was that it was the first account enabled for a separate ongoing OCS deployment (enabled 2 months ago)


http://support.microsoft.com/kb/941146
ExchangeVersion : 0.1 (8.0.535.0)
ran comand below anyway:
Set-Mailbox User_Name -ApplyMandatoryProperties


http://support.microsoft.com/kb/949527
"Inherit from parent the permission entries that apply to child objects" set on Security tab - Advanced for:
1.  Specific AD account
2.  All containers under the root child domain container through to the specific container where the account is.

1: 2: 3: 4: 5: 6: 7: 8: 9: 10: 11: 12: 13: 14: 15: 16: 17: 18: 19: 20: 21: 22: 23: 24: 25: 26: 27: 28: 29: 30: 31: 32: 33: 34: 35: 36: 37: 38:

A problem occurred while trying to use your mailbox. Please contact technical support for your organization. Exception Exception type: Microsoft.Exchange.Data.Storage.StoragePermanentException Exception message: There was a problem accessing Active Directory. Call stack Microsoft.Exchange.Data.Storage.ExchangePrincipal.Save() Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.DispatchLanguagePostLocally(OwaContext owaContext, OwaIdentity logonIdentity, CultureInfo culture, String timeZoneKeyName, Boolean isOptimized) Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.DispatchLanguagePostRequest(OwaContext owaContext) Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.PrepareRequestWithoutSession(OwaContext owaContext, UserContextCookie userContextCookie) Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.InternalDispatchRequest(OwaContext owaContext) Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.DispatchRequest(OwaContext owaContext) System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) Inner Exception Exception type: Microsoft.Exchange.Data.Directory.ADOperationException Exception message: Active Directory operation failed on watadc4.americas.cshare.net. This error is not retriable. Additional information: The administrative limit for this request was exceeded. Active directory response: 00002024: SvcErr: DSID-02050847, problem 5008 (ADMIN_LIMIT_EXCEEDED), data -1026 Call stack Microsoft.Exchange.Data.Directory.ADSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32 totalRetries, Int32 retriesOnServer) Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADRawEntry entry, DirectoryRequest request, ADObjectId originalId) Microsoft.Exchange.Data.Directory.ADSession.Save(ADObject instanceToSave, IEnumerable`1 properties) Microsoft.Exchange.Data.Storage.ExchangePrincipal.Save() Inner Exception Exception type: System.DirectoryServices.Protocols.DirectoryOperationException Exception message: The administration limit on the server was exceeded. Call stack System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut) System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout) Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation) Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADRawEntry entry, DirectoryRequest request, ADObjectId originalId)

Answer : OWA 2007: "The administrative limit for this request was exceeded"

We finally found what the issue was.  I had mentioned that this user was running a separate OCS deployment.  We were still running that antiquated instant messaging product from Exchange 2000.  He wanted to see who was still running the old IM client and added every IM user to his contact list.

When I ran LDP and loaded his user object, I found that his msExchIMACL attribute had 1162 entries of binary blobs.  I was unable to even move his AD account from one OU to another, getting that same "The administrative limit for this request was exceeded" in ADUC.  I disabled Exch2000 IM on his account, which removed that attribute.  After that, OWA access was fine.

This was the link that pointed me in the right direction:
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/83087f21-ba51-414d-9202-badea56ba83b