Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Write DACL inherit - How to remove

405 views
Skip to first unread message

Feda

unread,
Jan 13, 2009, 2:27:03 PM1/13/09
to
We migrated our Exchange 2003 server to 2007 recently and must have missed a
few steps while were doing it and still have traces of our old server in the
system.
Best Practices Analyzer Tool reports that we need to delete Write DACL
inherit for the old server which I attempted to do following the instructins
provide in the link but I had no success with it.
Since the old server is not connected to the network any more, I tried the
Remove Connector cmdlet but it only removed one of the connectors.
This is causing our Outlook 2007 clients to ask for user name and password
for the old server at startup.
Is there a way for me to still fix this issue?

Thanks.

Michael Dragone

unread,
Jan 13, 2009, 3:27:59 PM1/13/09
to
The PowerShell command provided here
(http://technet.microsoft.com/en-us/library/bb288905.aspx) is:

Remove-ADPermission "dc=<Domain>" -user "<RootDomain>\Exchange
Servers" -AccessRights WriteDACL -InheritedObjectType Group

What other steps on that page did you not do?

"Feda" <Fe...@discussions.microsoft.com> wrote in message
news:C279675E-3E56-4916...@microsoft.com...

Feda

unread,
Jan 14, 2009, 3:28:04 PM1/14/09
to
I missed the "Remove-ADPermission" part before so I tried it after reading
yor post. I received an error that Remove-ADPermission is not recognized as
an internal or external command.
I'm also not quite in the clear what I should use for Domain and Root
Domain. Can those be the same?

Michael Dragone

unread,
Jan 14, 2009, 4:02:22 PM1/14/09
to
They could be; it depends on how many domains you have in your environment.

You ran Remove-ADPermission from the Exchange Management Shell?

"Feda" <Fe...@discussions.microsoft.com> wrote in message

news:9F76C761-7939-45FD...@microsoft.com...

Feda

unread,
Jan 15, 2009, 1:10:01 PM1/15/09
to
We have only one domain so that clarified it. I was also not using the
Exchange Management Shell.
I received the following message after running the command:


Remove-ADPermission : Cannot remove ACE on object "DC=sagrescorp,DC=local" for
account "SAGRESNET\Exchange Servers" because it is not present.
At line:1 char:20
+ Remove-ADPermission <<<< "dc=sagrescorp,dc=local" -user
"sagrescorp.local\Ex
change Servers" -AccessRights WriteDACL -InheritedObjectType Group

Best Practices Analyzer still shows the old server on the list of servers
under "First Administrative Group" but it did not have the Write DACL Inherit
issue listed any more.

Michael Dragone

unread,
Jan 16, 2009, 10:28:46 AM1/16/09
to
Okay. Are you continuing with your decommissioning of 2000/2003 then?

"Feda" <Fe...@discussions.microsoft.com> wrote in message

news:6F608A15-E3A6-4F8E...@microsoft.com...

Feda

unread,
Jan 16, 2009, 11:29:01 AM1/16/09
to
We removed our Exchange 2003 server about 2 months ago.

Pete

unread,
Apr 23, 2009, 9:54:03 AM4/23/09
to
I'm having the exact problem and error message when I run the command. I
removed our Exchange 2003 server months ago.

Pete

kgb

unread,
May 21, 2009, 11:13:17 AM5/21/09
to
You may need to use "<RootDomain>\Exchange Enterprise Servers" rather than
"<RootDomain>\Exchange Servers" The Exchange Best Practice Analyzer will
tell you which one you need to remove.
0 new messages