Topic Last Modified: 2008-10-17

The Microsoft Exchange Analyzer Tool queries the Active Directory directory service to determine the value of the memberOf attribute for the Exchange Servers container object.

The value of the memberOf attribute for the Exchange Servers container object represents Exchange Server 2007 administrator roles (called "security groups" in Exchange 2003) that the Exchange Servers group is a member of.

By default, in Exchange 2007 Service Pack 1 (SP1), the Exchange Servers group is a member of the Windows Authorization Access group in each domain that has Exchange servers or users with Exchange mailboxes. In Exchange 2007 RTM, the Exchange Servers group doesn't have membership in any other group.

If the Exchange Analyzer determines that the Exchange Servers group is a member of any non-default groups, the Exchange Analyzer displays a non-default configuration message.

If the Exchange Analyzer determines that the Exchange Servers group is a member of any groups that are denied specific Exchange extended rights, the Exchange Analyzer displays an error message.

Extended rights are custom rights specified by individual applications. They are specified in the access control list (ACL). Examples of Exchange extended rights are "Create public folder" or "Create named properties in the information store."

The following groups, by default, have a Deny access control entry (ACE) for specific Exchange extended rights:

If the Exchange Servers group inherits, through transitive group membership, a Deny access control entry (ACE) for specific Exchange extended rights, Exchange client access server proxy issues may occur. The issue's symptoms may include, but are not limited to, the following:

Product Name

Exchange

Product Version

8.0

Product Build Number

8.0

Event ID

42

Event Source

MSExchange OWA

Component

Clients

Symbolic Name

ProxyErrorSslConnection

Message Text

Microsoft Exchange Client Access server "%1" attempted to proxy Outlook Web Access traffic to Client Access server "%2". This failed because one of these configuration problems was encountered:%n%n1. "%2" has been set to use "http://" (not using SSL) instead of "https://" (using SSL). You can modify this by setting the InternalUrl parameter of the Outlook Web Access virtual directory this proxy traffic is going to. You can set that parameter using the Set-OwaVirtualDirectory cmdlet in the Exchange Management Shell.%n%n2. The destination virtual directory returned an HTTP 403 error code. This usually means it is not configured to accept SSL access. You can change this configuration by using Internet Services Manager on the Client Access server "%2".%n%nIf you do not want this proxy connection to use SSL, you need to set the registry key "AllowProxyingWithoutSSL" on this Client Access server and set the InternalUrl and SSL settings for the Outlook Web Access virtual directory this proxy traffic is going to accordingly.

To address the error, remove the Exchange Servers group from membership in the following groups:

To remove the Exchange Servers group from membership in a non-default or restricted group

  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.

  2. In Active Directory Users and Computers console tree, expand the domain.

  3. Navigate to and select the Microsoft Exchange Security Groups container.

  4. In the details pane, right-click the Exchange Servers group and then click Properties.

  5. On the Member Of tab, select the group(s) from which you want to remove the Exchange Servers group and click Remove.

  6. Confirm the removal by clicking Yes at the Remove user from group dialog box.

  7. Click OK to close the Exchange Servers Properties.

For more information about this issue, see the following Exchange resources: