Export (0) Print
Expand All
Expand Minimize

Error while upgrading ACLs

[This topic is intended to address a specific issue called out by the Exchange Server Analyzer Tool. You should apply it only to systems that have had the Exchange Server Analyzer Tool run against them and are experiencing that specific issue. The Exchange Server Analyzer Tool, available as a free download, remotely collects configuration data from each server in the topology and automatically analyzes the data. The resulting report details important configuration issues, potential problems, and nondefault product settings. By following these recommendations, you can achieve better performance, scalability, reliability, and uptime. For more information about the tool or to download the latest versions, see "Microsoft Exchange Analyzers" at http://go.microsoft.com/fwlink/?linkid=34707.]  

Topic Last Modified: 2007-02-15

The Microsoft Exchange Analyzer Tool queries the Win32_NTLogEvent Microsoft Windows Management Instrumentation (WMI) class to determine whether an Event 9551 error has been logged for MSExchangeIS within the last hour.

If the Exchange Analyzer finds that an Event 9551 error has been logged in the last hour, the Exchange Analyzer then counts the total number of Event 9551 errors that have been logged for that hour.

Finally, if the Exchange Analyzer finds that an Event 9551 error has been logged 20 or more times in the last hour, the Exchange Analyzer displays a warning.

This error indicates that there may be user accounts that appear in an access control list (ACL) for a mailbox resource or public folder but are not associated with valid Active Directory directory service objects.

A mailbox that is on a server that is running Microsoft Exchange Server 2003 or Exchange 2000 Server must be represented in Active Directory by a valid Active Directory directory service user account to be accessible.

An account without valid representation in Active Directory can be created if the Exchange 2000 Server or Exchange Server 2003 mailbox resource or public folder is not updated after a mailbox is deleted on the Exchange Server 5.5-based computer.

If the deleted mailbox account remains on the ACL of a mailbox resource or public folder, every time that mailbox resource or public folder is accessed and Exchange tries to resolve the accounts listed, the account with no valid representation in Active Directory cannot be resolved. This process can manifest itself as a performance issue.

To address this issue:

  • Make sure that Exchange 2000 Server Service Pack 3 (SP3) or a later version is installed. To obtain the latest Exchange 2000 Server Service Pack, see Microsoft Knowledge Base article 301378, "How to obtain the latest Exchange 2000 Server service pack" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=301378).
  • Use Exchange System Manager to manually remove the invalid mailbox accounts from the ACL.
  • If the Exchange environment is in Exchange Mixed Mode, run the DS/IS consistency checker against the information store.
  • If the Exchange environment is in Exchange Native Mode, follow the guidance in Microsoft Knowledge Base article 324323, "XADM: Skipping User Accounts That Are Not Represented in Active Directory During Access Control List Conversion" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=324323).
To use Exchange System Manager to manually remove the invalid accounts from the ACL
  1. Start Exchange System Manager and locate the folder identified by the 9551 error.

  2. Right-click the folder and select Properties.

  3. Select the Permissions tab and then click Client Permissions.

  4. In the Name pane, select the user account identified by the 9551 error and then click the Remove button to remove the account from the ACL.

To run the DS/IS consistency checker against the information store in Exchange Mixed Mode
  1. In the Exchange Server 5.5 Administrator program, click the Exchange 5.5 Server computer that contains the information store.

  2. On the File menu, click Properties, and then click the Advanced tab.

  3. Click Consistency Adjustment.

  4. Click to select the Remove unknown user accounts from public folder permissions and the Remove unknown user accounts from mailbox permissions check boxes, and then click All Inconsistencies.

  5. Click to clear all other check boxes, and then click OK

For more information about this issue, see the following Microsoft Knowledge Base articles and Exchange Server Resources:

 
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft