Unable to update the mailbox security descriptor in the directory service

 

Topic Last Modified: 2009-07-15

The Microsoft Exchange Server 2007 Management Pack for Operations Manager monitors the Windows Application log on computers that are running Exchange Server 2007 and generates this alert when the event or events specified in the following Details table are logged.

To learn more about this alert, if you are using Microsoft Operations Manager 2005, do one or more of the following:

  • From the Operator Console, select this alert, and then click the Properties tab. Review the description of the alert that includes the variables specific to your environment.

  • From the Operator Console, click the Events tab, and then double-click the event in the list for which you want to review the event description. Review the events that have been logged that meet the criteria of this Operations Manager alert.

To learn more about this alert, if you are using System Center Operations Manager 2007, do one or more of the following:

  • From the Operations Console, double-click this alert, and then click the General tab. Review the description of the alert that includes the variables specific to your environment.

  • From the Operations Console, double-click this alert, and then click the Alert Context tab. Review the events that have been logged that meet the criteria of this Operations Manager alert.

Details

Product Name

Exchange

Product Version

8.0 (Exchange Server 2007)

Event ID

9554

Event Source

MSExchangeIS*

Alert Type

Warning

MOM Rule Path

Microsoft Exchange Server/Exchange 2007/Mailbox/Information Store

MOM Rule Name

Unable to update the mailbox security descriptor in the directory service.

Explanation

This Warning event indicates a problem with the directory permissions of a particular mailbox. The user could be having problems accessing his or her account.

User Action

To resolve this warning, locate the mailbox by searching for the msExchMailboxGUID in the directory, and then restore the appropriate mailbox permissions.

Step 1: Locate the mailbox with which you experience the issue

If you do not know which mailbox causes the issue, use the Active Directory Administration tool (LDP.exe) to determine the mailbox name. To do this, follow these steps:

  1. In the Application log on the Exchange Mailbox server, locate event ID 9554. This event contains a 32-character GUID that you can use to identify the mailbox. For example, the event description may contain a GUID that resembles the following sample GUID:

    f911a4c2-42de-42c1-8d97-abef7766063c

  2. Convert the 32-character GUID to an msExchMailbox value. To do this, follow these steps:

    1. Paste the mailbox identifier GUID from the Description box of event ID 9554 into a text editor such as Notepad. The GUID consists of five sections that are separated by hyphens.

    2. On a blank line in Notepad, type the characters from the first section of the GUID (f911a4c2) in two-character portions separated by backslash characters in reverse order. For example, type \c2\a4\11\f9.

      Note

      You must include the initial backslash character.

    3. On the same line, type the characters from the second section of the GUID (42de) in two-character portions separated by backslash characters in reverse order. For example, type \de\42.

    4. Type the characters from the third section of the GUID (42c1) in two-character portions separated by backslash characters in reverse order. For example, type \c1\42.

    5. Type the characters from the fourth section of the GUID (8d97) in two-character portions separated by backslash characters. For example, type \8d\97.

      Note

      For this section of the GUID, do not reverse the order of the two-character sections.

    6. Type the characters from the fifth section of the GUID (abef7766063c) in two-character portions separated by backslash characters. For example, type \ab\ef\77\66\06\3c.

      Note

      For this section of the GUID, do not reverse the order of the two-character sections.

    7. Add each of the retyped GUID sections together to form the msExchMailbox value. For example, the final GUID sections should appear as:

      \c2\a4\11\f9\de\42\c1\42\8d\97\ab\ef\77\66\06\3c

    8. On a new line in Notepad, use this new msExchMailbox value to create a msExchMailboxGUID entry that resembles the following:

      (msExchMailboxGUID=\c2\a4\11\f9\de\42\c1\42\8d\97\ab\ef\77\66\06\3c)

      Note

      You must include the parentheses in this character string.

  3. Start the Active Directory Administration Tool (LDP.exe). This tool is included with the Windows Support Tools on the Windows Server CD.

  4. On the Connection menu, click Connect.

  5. In the Server box, type the name of a domain controller. Leave the default port selection as 389, unless you have set up your LDAP port configurations differently on the domain controller, and then click OK.

  6. On the Connection menu, click Bind.

  7. Type the user name, password, and domain information for a user who has access to view the Active Directory root tree, and then click OK.

  8. On the View menu, click Tree.

  9. Leave the BaseDN box blank, and then click OK. By default, this switches the focus to the BaseDN of the root Active Directory tree.

  10. Expand the domain container (DC=example,DC=com), right-click the user's container, and then click Search.

  11. Copy the new msExchMailboxGUID entry, including the brackets, from Notepad, and paste it into the Filter box, replacing the existing filter. The Filter box should now contain an entry that resembles the following:

    (msExchMailboxGUID=\c2\a4\11\f9\de\42\c1\42\8d\97\ab\ef\77\66\06\3c)

  12. Click Subtree, and then click Run. Do not modify the contents of the Base Dn box.

    The mailbox information and mailbox owner are returned.

Step 2: Modify the mailbox permissions

  1. Start the ADSI Edit tool, and then go to domain partition.

  2. Right-click the user account that was returned earlier, and then click Properties.

  3. Click the Security tab, click to select the Allow inheritable permissions from parent to propagate to this object check box, and then click OK.

    Note

    Do not click to select this check box for the Built-in\Administrator account or for any <Domain>\Administrator objects.

  4. Exit the ADSI Edit snap-in.

For More Information

To search the Microsoft Knowledge Base articles based on criteria that generated this alert, visit the Search the Support Knowledge Base (KB) Web site.

To review Exchange Server 2007 event message articles that may not be represented by Exchange 2007 alerts, see the Events and Errors Message Center.

If you are not already doing so, consider running the tools that Microsoft Exchange offers to help administrators analyze and troubleshoot their Exchange environment. These tools can help you make sure that your configuration is in line with Microsoft best practices. They can also help you identify and resolve performance issues, improve mail flow, and better manage disaster recovery scenarios. Go to the Toolbox node of the Exchange Management Console to run these tools now. For more information about these tools, see Toolbox in the Exchange Server 2007 Help.