Export (0) Print
Expand All
Expand Minimize

Exchange Servers group does not have default group membership

[This topic is intended to address a specific issue called out by the Exchange Server Analyzer Tool. You should apply it only to systems that have had the Exchange Server Analyzer Tool run against them and are experiencing that specific issue. The Exchange Server Analyzer Tool, available as a free download, remotely collects configuration data from each server in the topology and automatically analyzes the data. The resulting report details important configuration issues, potential problems, and nondefault product settings. By following these recommendations, you can achieve better performance, scalability, reliability, and uptime. For more information about the tool or to download the latest versions, see "Microsoft Exchange Analyzers" at http://go.microsoft.com/fwlink/?linkid=34707.]  

Topic Last Modified: 2008-10-17

The Microsoft Exchange Analyzer Tool queries the Active Directory directory service to determine the value of the memberOf attribute for the Exchange Servers container object.

The value of the memberOf attribute for the Exchange Servers container object represents Exchange Server 2007 administrator roles (called "security groups" in Exchange 2003) that the Exchange Servers group is a member of.

By default, in Exchange 2007 Service Pack 1 (SP1), the Exchange Servers group is a member of the Windows Authorization Access group in each domain that has Exchange servers or users with Exchange mailboxes. In Exchange 2007 RTM, the Exchange Servers group doesn't have membership in any other group.

If the Exchange Analyzer determines that the Exchange Servers group is a member of any non-default groups, the Exchange Analyzer displays a non-default configuration message.

If the Exchange Analyzer determines that the Exchange Servers group is a member of any groups that are denied specific Exchange extended rights, the Exchange Analyzer displays an error message.

Extended rights are custom rights specified by individual applications. They are specified in the access control list (ACL). Examples of Exchange extended rights are "Create public folder" or "Create named properties in the information store."

The following groups, by default, have a Deny access control entry (ACE) for specific Exchange extended rights:

  • Domain Admins

  • Enterprise Admins

  • Schema Admins

  • Exchange Organization Administrators

If the Exchange Servers group inherits, through transitive group membership, a Deny access control entry (ACE) for specific Exchange extended rights, Exchange client access server proxy issues may occur. The issue's symptoms may include, but are not limited to, the following:

  • Client Access server proxy attempts to other sites fail. That is, users cannot use Outlook Web Access to log on to their mailbox through the Client Access server in a different Active Directory site.

  • The following application event log event may be logged:

 

Product Name

Exchange

Product Version

8.0

Product Build Number

8.0

Event ID

42

Event Source

MSExchange OWA

Component

Clients

Symbolic Name

ProxyErrorSslConnection

Message Text

Microsoft Exchange Client Access server "%1" attempted to proxy Outlook Web Access traffic to Client Access server "%2". This failed because one of these configuration problems was encountered:%n%n1. "%2" has been set to use "http://" (not using SSL) instead of "https://" (using SSL). You can modify this by setting the InternalUrl parameter of the Outlook Web Access virtual directory this proxy traffic is going to. You can set that parameter using the Set-OwaVirtualDirectory cmdlet in the Exchange Management Shell.%n%n2. The destination virtual directory returned an HTTP 403 error code. This usually means it is not configured to accept SSL access. You can change this configuration by using Internet Services Manager on the Client Access server "%2".%n%nIf you do not want this proxy connection to use SSL, you need to set the registry key "AllowProxyingWithoutSSL" on this Client Access server and set the InternalUrl and SSL settings for the Outlook Web Access virtual directory this proxy traffic is going to accordingly.

To address the error, remove the Exchange Servers group from membership in the following groups:

  • Domain Admins

  • Enterprise Admins

  • Schema Admins

  • Exchange Organization Administrators

To remove the Exchange Servers group from membership in a non-default or restricted group
  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.

  2. In Active Directory Users and Computers console tree, expand the domain.

  3. Navigate to and select the Microsoft Exchange Security Groups container.

  4. In the details pane, right-click the Exchange Servers group and then click Properties.

  5. On the Member Of tab, select the group(s) from which you want to remove the Exchange Servers group and click Remove.

  6. Confirm the removal by clicking Yes at the Remove user from group dialog box.

  7. Click OK to close the Exchange Servers Properties.

For more information about this issue, see the following Exchange resources:

 
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft