Error when you move a mailbox in an Exchange Server 2013 environment: Cannot set folder security descriptor with non-canonical ACL

Original KB number:  2764844


When you try to move a mailbox in a Microsoft Exchange Server 2013 environment, you receive the following error message:

Error: Cannot set folder security descriptor with non-canonical ACL.


This issue occurs because the mailbox has a corrupted access control list (ACL).


To resolve this issue, follow these steps:

  1. Run the following commands to identify the ACL that causes this issue:

    $mr = get-moverequeststatistics -IncludeReport <mailboxIdentity>  
  2. Remove the corrupted ACL by using the ExFolders tool.


To work around this issue, run the following new-MoveRequest cmdlet together with the -SkipMoving:FolderACls switch:

New-moverequest -Identity <username> -Target Database "database name" -SkipMoving:FolderViews


When you move the mailbox by using the -SkipMoving:FolderACls switch, Exchange Server 2013 doesn't move the ACLs of the folders in the mailbox. Therefore, after you move the mailbox, all the folders have default permissions.