If you are scratching your head wondering why you are still getting access denied when you delegate full access to a user account at the top of an Exchange organization for administration purposes or 3rd party applications (migration tools, etc).
Troubleshooting Step 1
Try running the Exchange Best Practices Analyzer against the problem organization and perform a permissions check. It might indicate that there is a problem and direct you on resolving it or at least point you in the right direction.
Troubleshooting Step 2
The ESM GUI will probably tell you that your account has full rights all the way down to the database level. Try opening up ADSI Edit, set the well known name context to "Configuration". Start at the "CN=Services" container and browse down to the Exchange organization and expand the CN=Administrative Groups" container all the way to the mailbox/public folder store levels. Once you get to the bottom-most level check the properties and permissions on the database objects and make sure "allow inheritance" is turned on in the advanced settings. If it’s not turned on at the database level that’s probably why you are getting denied.
Note: Use caution with ADSI Edit. It is very powerful and you can damage your AD environment if not used properly. Consult Microsoft PSS before making any modifcations and test in a lab environment before implementing in production. They may have some other things to check as well.
These steps might help you locate the source of the problem but resolving it may be a little more tricky so do yourself a favor and open a ticket with Microsoft.
