none
exbpa Permissions Inheritance Block error - any risk in changing?

    Pergunta

  • Proabaly being over cautious here but it's one I don't want to do wrong. My Exchange 2007 (migrated from Ex2003) reports thsi error when running the Exchange Best Practice Analyzer:

    Access control list (ACL) inheritance is blocked for the Exchange Organization object (CN=CHC,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=CHC,DC=LAN). This may cause mail flow problems, store mounting issues and other service outages. Follow Microsoft Knowledge Base article 264733 and use the Exchange System Manager to re-enable inheritance on this object.

    I know what needs to be done but am I runnign any risk doing this?

    Exchange works fine as is.

    quinta-feira, 7 de junho de 2012 02:37

Respostas

  • It won't cause any issues, if inheritance has only have been removed.

    Make sure. no other permission changes have been made , for anyother convenience.

    Like "deny" for any security group below the "CHC"

    Open Adsiedit.msc

    Open Configuration Partition. Just go this location ,,

    See location from left to right

    CN=CHC,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=CHC,DC=LAN

    --Properties of CHC - security - Advanced - Inheritance check should not be there .

    It will be there for all other objects


    Satheshwaran Manoharan | Exchange 2003/2007/2010 | Blog:http://www.careexchange.in | Please mark it as an answer if it really helps you

    • Marcado como Resposta healthyCamper sexta-feira, 15 de junho de 2012 21:25
    quinta-feira, 7 de junho de 2012 14:53

Todas as Respostas

  • It won't cause any issues, if inheritance has only have been removed.

    Make sure. no other permission changes have been made , for anyother convenience.

    Like "deny" for any security group below the "CHC"

    Open Adsiedit.msc

    Open Configuration Partition. Just go this location ,,

    See location from left to right

    CN=CHC,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=CHC,DC=LAN

    --Properties of CHC - security - Advanced - Inheritance check should not be there .

    It will be there for all other objects


    Satheshwaran Manoharan | Exchange 2003/2007/2010 | Blog:http://www.careexchange.in | Please mark it as an answer if it really helps you

    • Marcado como Resposta healthyCamper sexta-feira, 15 de junho de 2012 21:25
    quinta-feira, 7 de junho de 2012 14:53
  • There are a number of explicit DENY permissions, but I don't have another Ex2007 to check them against to swee if they're the 'norm'. I think the reason inheritance was removed was for GFI MailEssentials as there's an account named 'GFI' added at this level, which couldn't have been unless Inheritance was removed.

    Are these normal permissions at this level?

    quinta-feira, 7 de junho de 2012 21:02
  • Hello healthyCamper,

    I suggest you go to enable inheritance for permissions on Organization object.

    Here is a related document for you:

    Permissions inheritance block on configuration object
    http://technet.microsoft.com/en-us/library/aa998240(EXCHG.80).aspx

    Thanks,

    Evan Liu

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com  


    Evan Liu

    TechNet Community Support

    sexta-feira, 8 de junho de 2012 05:59
    Moderador
  • How about the issue, any updates?

    Thanks,

    Evan Liu

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com


    Evan Liu

    TechNet Community Support

    segunda-feira, 11 de junho de 2012 02:48
    Moderador
  • Hi Evan, Will be doing this weekend to allow back-out time just in case. Not in office this week.
    segunda-feira, 11 de junho de 2012 02:51
  • Happy to say my paranoia ill-founded. Change made, server restarted and no issues to report plus a nicer looking ExBPA

    sexta-feira, 15 de junho de 2012 21:26