Access control list (ACL) inheritance is blocked

[This topic is intended to address a specific issue called out by the Exchange Server Analyzer Tool. You should apply it only to systems that have had the Exchange Server Analyzer Tool run against them and are experiencing that specific issue. The Exchange Server Analyzer Tool, available as a free download, remotely collects configuration data from each server in the topology and automatically analyzes the data. The resulting report details important configuration issues, potential problems, and nondefault product settings. By following these recommendations, you can achieve better performance, scalability, reliability, and uptime. For more information about the tool or to download the latest versions, see "Microsoft Exchange Analyzers" at https://go.microsoft.com/fwlink/?linkid=34707.]  

Topic Last Modified: 2009-12-11

Microsoft Exchange Server 2007 or Exchange Server 2010 setup cannot continue because the required permissions have not been able to propagate.

Exchange setup requires that inheritance for permissions be enabled on the following Exchange objects:

  • Exchange Organization object

  • Exchange Administrative Group object

  • Exchange Servers container object

  • Exchange Address List object

  • Exchange Public Folder object

  • Exchange Public Folder tree object

Failure to enable inheritance for permissions on these objects may result in mail flow problems, store mounting issues, and other service outages.

To resolve this issue, make sure that the "Allow permissions to propagate to this object and child objects" setting is enabled for the object, and then rerun Exchange Server 2007 or Exchange 2010 setup.

To re-enable permissions inheritance for an Exchange configuration object using Exchange Server 2003 Exchange System Manager

  1. Enable the Security tab for the object properties box of Exchange System Manager by setting a registry parameter.

    1. Start Registry Editor (Regedt32.exe).

    2. Locate the following key in the registry:

      HKEY_CURRENT_USER\Software\Microsoft\Exchange\EXAdmin

    3. On the Edit menu, click New, and then add the following registry value:

      Value Name: ShowSecurityPage

      Data Type: REG_DWORD

      Radix: Binary

      Value: 1

    4. Quit Registry Editor.

    Note

    By default, the Security tab is not enabled in the configuration object properties box.

  2. Open Exchange System Manager, find the object in question, right-click the object and select Properties.

  3. Select the Security tab and then click Advanced.

  4. Select Allow inheritable permissions from the parent to propagate to this object and all child objects to re-enable permissions inheritance.

  5. Restart Exchange Server.

Warning

If you incorrectly modify the attributes of Active Directory objects when you use ADSI Edit, the LDP tool, or another LDAP version 3 client, you may cause serious problems. These problems may require that you reinstall Microsoft Windows Server™ 2003, Exchange Server, or both. Modify Active Directory object attributes at your own risk.

To re-enable permissions inheritance for an Exchange configuration object using ADSIEdit from Exchange Server 2007 or Exchange Server 2010

  1. Install ADSI Edit.

  2. Launch ADSI Edit. Click Start, click Run, type adsiedit.msc in the text box, and then click OK.

  3. Navigate to the object in question, right-click the object and select Properties.

  4. Select the Security tab and then click Advanced.

  5. Select Allow inheritable permissions from the parent to propagate to this object and all child objects to re-enable permissions inheritance.

  6. Select Ok twice to apply the change.

  7. Wait for Active Directory replication to propagate the changes or force Active Directory replication by following the guidance in Microsoft Knowledge Base article 232072, "Initiating Replication Between Active Directory Direct Replication Partners" (https://go.microsoft.com/fwlink/?linkid=3052&kbid=232072).