I would love to share with you one old story that I had 3 years ago during the cross-forest Exchange migration (2007 to 2010).
After migration of mailboxes some of them cannot be disabled using Microsoft Exchange Shell or console. In order to resolve this problem Exchange Trusted Subsystem group had to be assigned Read All Properties and Write All Properties permissions on the domain container.
1. Launch ADSI Edit
2. Connect ADSI edit to the Default Naming Context
3. Right click the container that is corresponding to the domain DC=contoso,DC=com and go to the Security tab
4. Click on the Advanced button
5. On the Advanced Security Settings for contoso.com make sure you are on the Permissions tab and clock on the Add button
6. Select All Descendant objects in the Apply to section. In the list of permissions tick boxes next to Allow-Read all properties and Allow-Write all properties. Click OK
7. Wait for Active Directory replication to occur.
And it should do the magic.