• Article

Permissions inheritance block on configuration object

[This topic is intended to address a specific issue called out by the Exchange Server Analyzer Tool. You should apply it only to systems that have had the Exchange Server Analyzer Tool run against them and are experiencing that specific issue. The Exchange Server Analyzer Tool, available as a free download, remotely collects configuration data from each server in the topology and automatically analyzes the data. The resulting report details important configuration issues, potential problems, and nondefault product settings. By following these recommendations, you can achieve better performance, scalability, reliability, and uptime. For more information about the tool or to download the latest versions, see "Microsoft Exchange Analyzers" at https://go.microsoft.com/fwlink/?linkid=34707.]  

Topic Last Modified: 2010-05-25

The Microsoft® Exchange Analyzer Tool queries every Exchange configuration object in the Active Directory® database to determine whether any object has inheritance permissions blocked. If permissions inheritance is blocked for an Exchange Configuration object, the Exchange Server Analyzer displays an error.

In the error message, Exchange Analyzer identifies the configuration object for which permissions inheritance is disabled.

Exchange Analyzer retrieves discretionary access control lists (DACLs) from the Active Directory for Exchange objects in the Configuration container. By default, objects such as servers that are unning Exchange and Exchange Server protocols are set to inherit permissions when Exchange is installed. When permissions are accidentally removed or modified, an object may be prevented from inheriting permissions. In this scenario, mail flow problems, such as messages remaining in the queues, and store mounting problems may slow Exchange Server responsiveness.

Note

The access control list (ACL) is a list of security protections that apply to a whole object, a set of the object's properties, or an individual property of an object. There are two kinds of access control lists: discretionary and system.

To address this issue, re-enable permission inheritance for the particular Exchange object.

To re-enable permissions inheritance for an Exchange configuration object in Exchange Server 2003, or an earlier version

  1. Enable the Security tab for the object properties box of Exchange System Manager by setting a registry parameter. For detailed steps, see Microsoft Knowledge Base article 264733, "How to enable the Security tab for the organization object in Exchange 2000 and in Exchange 2003" (https://go.microsoft.com/fwlink/?linkid=3052&kbid=264733).

    Note

    By default, the Security tab is not enabled in the configuration object properties box.

  2. Start Exchange System Manager, and then locate the object that is mentioned in the Exchange Analyzer error message. For example, to locate the mailbox store, expand Administrative Groups, expand your administrative group, expand Servers, expand the appropriate server that is running Exchange, and then expand the appropriate storage group.

  3. Right-click the Exchange object. For example, right-click Mailbox Store (<ServerName>). Then, click Properties.

  4. Click the Security tab, and then click Advanced.

    Note

    By default, the Security tab does not appear. You must follow the steps in Knowledge Base article 264733 to enable the Security tab.

  5. Click to select the Allow inheritable permissions from the parent to propagate to this object and all child objects check box.

  6. Click OK.

  7. Restart the server that is running Exchange.

For more information about discretionary access control lists in Windows Server 2003 Active Directory, see "How Security Descriptors and Access Control Lists Work" (https://go.microsoft.com/fwlink/?LinkId=64193).

For more information about permissions inheritance, see "How Permissions Work" (https://go.microsoft.com/fwlink/?LinkId=64195).

To re-enable permissions inheritance for an Exchange configuration object in Exchange Server 2007 or a later version

  1. Install ADSI Edit and then start ADSI Edit.

  2. Click Start, click Run, type adsiedit.msc, and then click OK.

  3. Locate the object in question, right-click the object, and then click Properties.

  4. On the Security tab, click Advanced.

  5. Click Allow inheritable permissions from the parent to propagate to this object and all child objects to re-enable permissions inheritance.

  6. Click OK two times to apply the change.

  7. Wait for Active Directory replication to propagate the changes, or force Active Directory replication if it is necessary.

For more information about how to force Active Directory replication, see Microsoft Knowledge Base article 232072, Initiating Replication Between Active Directory Direct Replication Partners.