I have started having an issue when trying to change a user/mailboxes country/region through Exchange Admin Center in Exchange 2016.
When attempting to do so, I get this error:
Active Directory operation failed on DC. This error is not retriable. Additional information: Insufficient access rights to perform the operation.
Active Directory response: 00002098: SecErr: DSIS-03150E49, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
Other reports of this error do not seem to have a resolution that applies to us. Oddly, If I go into ADUC, and find the same user account, I can easily change the country/region using my same domain login (member of domain admins and enterprise admins).
Does anyone have any thoughts on why I can change this attribute directly through AD but not Exchange?
EDIT: Also have this post on the TechNet forum trying to identify the cause of this issue: Technet Post
Answer was found with some assistance from Allen on the technet forum here
User object security inheritance seems to be disabled for many of our user objects, while newly created objects have it enabled, and can be edited through ECP.