Missing Rights for Impersonation Account to Active Directory: AD Solution to LDAP error code 32 Issue

  • 7020594
  • 08-Dec-2014
  • 07-Aug-2017


Retain 3.x, 4.x
Exchange 2007, 2010, 2013, 2016


Retain can only archive users listed in the job, but not the entire mail server.  The Worker log showed the following information.  Some customer information was purposely removed from the error and from the screenshot of their Active Directory Sites and Services.

10:07:52,746 LiveEWSUserSelection - javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-031522C9, problem 2001 (NO_OBJECT), data 0, best match of:     'CN=InformationStore,CN=EXCH01,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=[organization name],CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=[domain],DC=local']; remaining name 'CN=Mailbox Database,CN=First Storage Group,CN=InformationStore,CN=EXCH01,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=[organization name],CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=[domain],DC=local'


This was a rights issue in Exchange 2007, but this could also occur in Exchange 2010 or later.  Retain first does an LDAP lookup to find the list of Exchange users in Active Directory.  In this case, the impersonation account set up for Retain to access the mailboxes did not have rights to all of Active Directory.  To resolve the issue, follow these steps:

  1. Launch Active Directory Sites and Services.
  2. The Services node is not visible by default, so click on the top node and then click on View | Show Services Node. Then you can traverse the tree as delineated in the error from the Worker log.

In this case, it was:  Services/Microsoft Exchange/[organization name]/Administrative Groups/Exchange Administrative Group (FYDIBOHF23SPDLT)/Servers/EXCH01/InformationStore/First Storage Group/

  1. Right-click and select Properties | Security and find the impersonation account used for the Retain Application Impersonation user.
  2. Add all permissions for the Retain Application Impersonation user:

Exchange 2007+
This error can also be thrown when a user is manually added to a Retain archive job, then deleted in Exchange. Simply remove the user from the list of users in Retain and the archive job should run. A better solution would be to create a distribution list in Exchange and then select the distribution list in Retain. That will prevent the error from occurring again. 

Additional Information

This article was originally published in the GWAVA knowledgebase as article ID 2417.