Permissions inheritance block on configuration object

Topic Last Modified: 2009-03-11

The Microsoft® Exchange Analyzer Tool queries every Exchange configuration object in the Active Directory® database to determine whether any object has inheritance permissions blocked. If permissions inheritance is blocked for an Exchange Configuration object, the Exchange Server Analyzer displays an error.

In the error message, Exchange Analyzer identifies the configuration object for which permissions inheritance is disabled.

Exchange Analyzer retrieves discretionary access control lists (DACLs) from the Active Directory for Exchange objects in the Configuration container. By default, objects such as Exchange servers and Exchange Server protocols are set to inherit permissions when Exchange is installed. When permissions are accidentally removed or modified, an object may be prevented from inheriting permissions. In this scenario, mail flow problems, such as messages remaining in the queues, and store mounting problems may slow Exchange Server responsiveness.

Note:
The access control list (ACL) is a list of security protections that apply to a whole object, a set of the object's properties, or an individual property of an object. There are two kinds of access control lists: discretionary and system.

To address this issue, re-enable permission inheritance for the particular Exchange object.

To re-enable permissions inheritance for an Exchange configuration object

Enable the Security tab for the object properties box of Exchange System Manager by setting a registry parameter. For detailed steps, see Microsoft Knowledge Base article 264733, "How to enable the Security tab for the organization object in Exchange 2000 and in Exchange 2003" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=264733).

Note:

By default, the Security tab is not enabled in the configuration object properties box.
Start Exchange System Manager, and then locate the object that is mentioned in the Exchange Analyzer error message. For example, to locate the mailbox store, expand Administrative Groups, expand your administrative group, expand Servers, expand the appropriate Exchange server, and then expand the appropriate storage group.
Right-click the Exchange object. For example, right-click Mailbox Store (<ServerName>). Then, click Properties.
Click the Security tab, and then click Advanced.

Note:

By default, the Security tab does not appear. You must follow the steps in Knowledge Base article 264733 to enable the Security tab.
Click to select the Allow inheritable permissions from the parent to propagate to this object and all child objects check box.
Click OK.
Restart the Exchange server.

Note:
By default, the Security tab is not enabled in the configuration object properties box.

Note:
By default, the Security tab does not appear. You must follow the steps in Knowledge Base article 264733 to enable the Security tab.

For more information about discretionary access control lists in Windows Server 2003 Active Directory, see "How Security Descriptors and Access Control Lists Work" (http://go.microsoft.com/fwlink/?LinkId=64193).

For more information about permissions inheritance, see "How Permissions Work" (http://go.microsoft.com/fwlink/?LinkId=64195).