Topic Last Modified: 2006-04-13

The Microsoft® Exchange Server Analyzer Tool checks Active Directory® domain objects such as containers and organizational units. If permissions inheritance is blocked in the containers or organizational units, the Exchange Server Analyzer displays an error.

The Exchange Server Analyzer identifies the specific object.

When changes are made to an Active Directory domain object, changes to the access control list (ACL) are overwritten. Even if 'Inherit from parent' is manually enabled, applied inheritance is disabled when changes are applied to the ACL. This condition causes Recipient Update Service (RUS) issues, because RUS does not have the necessary permissions for an Active Directory organizational unit that the accounts reside in.

This behavior can occur if you disabled the Allow inheritable permissions from parent to propagate to this object check box in the Active Directory organizational unit that the accounts reside in.

To resolve the problem, use the Active Directory Users and Computers snap-in or Active Directory Service Interfaces (ADSI) Edit to reestablish inheritable permissions for the organizational unit. Follow the detailed steps under scenario two in the Microsoft Knowledge Base article 254030, "Missing permissions cause the Recipient Update Service not to process accounts in Exchange 2000 Server and Exchange Server 2003" (

For more information about access control lists (ACLs) in Microsoft Windows Server 2003™ Active Directory, see "How Security Descriptors and Access Control Lists Work" (

For more information about permissions inheritance, see "How Permissions Work" (