SearchFolderManager fails to create search folder. Error 8004011d

Problem

SearchFolderManager fails to create search folder. Error 8004011d

Error Message

SearchFolderManager fails to create search folder with below on-screen error:

C:\Program Files (x86)\Enterprise Vault>SearchFolderManager.exe "/o=Veritas Lab/ ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=20fa78ad8e2d4bfbb414fc315d97bba7-Test"

Managing search folders for mailbox:
    /o=Veritas Lab/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipie nts/cn=20fa78ad8e2d4bfbb414fc315d97bba7-Test
Error 8004011d

Cause

Vault Service Account has deny permissions either by inherited group membership or by explicit deny permission set. 

The following Exchange management shell command can be used to verify the permission for the affected account:

Get-Mailbox "test@ev.local" |Get-Mailboxpermission |ft user,accessright*, *inher*,*Deny*

Although Vault Service Account (VSA) has been delegated full access permission on the user mailbox, it is overwritten by direct deny permission due to VSA being part of the Organization Management Group.

Solution

Check if the Vault Service Account is a member of the Organization Management Role Group. 

Get-RoleGroupMember -Identity "Organization Management"

Preferably, remove the membership of VSA from the Organization Management group:

Remove-RoleGroupMember "Organization Management" -Member "<Vault Service Account Name Here>"

Alternatively, you can also perform the same steps within the Exchange Admin Center (EAC).  See the steps below for Exchange 2013/2016/2019:

NOTE: If it is a must to have the VSA within the Organization Management group, then provide explicit Full Access permission to the Vault Service account on all the mailboxes in the organization.