Removing Active Directory entries after uninstalling

Applies to: Forefront Protection for Exchange

The Forefront Protection 2010 for Exchange Server (FPE) uninstall program does not run with elevated user rights. Therefore, it does not have the necessary access for removing entries from the Active Directory Domain Service. The following steps can be used by an Enterprise Administrator to remove the entries created by the FPE installation. The number and types of entries are determined by the particular Exchange versions and roles that are being removed. For example:

• Exchange Server 2010 Mailbox, Hub, or Hub/Mailbox roles

• Exchange Server 2007 Edge role

• Exchange Server 2007 Mailbox, Hub, or Hub/Mailbox roles

• Exchange Server 2007 Mailbox only roles (no changes are required)

To remove machine accounts from the Exchange Server 2010 Hygiene Management role group

1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

2. In the Active Directory Users and Computers pane, expand your domain, click Microsoft Exchange Security Groups, and then double-click Hygiene Management.

3. In the Hygiene Management Properties dialog box, click the Members tab.

4. Select the computer name, click Remove, and then click OK.

To remove Active Directory entries for the Exchange Server 2007 Edge role

1. Open Active Directory Service Interfaces (ADSI) Edit to retrieve the fully qualified distinguished name.

   On Windows Server 2008, click Start, point to Administrative Tools, and then click ADSI Edit.

2. In the ADSI Edit interface, connect to localhost:50389 by using the Configuration naming context.

3. In the ADSI Edit interface, open your Message Hygiene folder, typically Configuration\Services\MicrosoftExchange\First Organization\Transport Settings\Message Hygiene

4. Use either DSACLS or LDP tools to change the security settings with the fully qualified distinguished name (obtained from ASDI Edit), and remove the network service and local system.

   For example, using DSACLS tools, type the following command to remove the network service:

   D:\Users\Administrator>dsacls "\\localhost:50389\CN=Message Hygiene,CN=Transport Settings,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,CN={COMPUTER GUID}" /r "NT AUTHORITY\NETWORK SERVICE"
   

   Replace NETWORK SERVICE with SYSTEM to remove the local system.

   For more information about how to use the DSACLS tool, see the following article in the Microsoft Knowledge Base: https://go.microsoft.com/fwlink/?LinkId=160314

   For more information about how to use the LDP tool, see the following article in the Microsoft Knowledge Base: https://go.microsoft.com/fwlink/?LinkId=160315

To remove Active Directory entries for Exchange Server 2007 Mailbox, Hub, or Hub/Mailbox roles

1. Open ADSI Edit to retrieve the fully qualified distinguished name.

   On Windows Server 2008, click Start, point to Administrative Tools, and then click ADSI Edit.

2. In the ADSI Edit interface, connect to your default server by using the Configuration naming context.

3. In the ADSI Edit interface, open your Message Hygiene folder, typically Configuration\Services\MicrosoftExchange\First Organization\Transport Settings\Message Hygiene

4. Edit the security setting by following these steps:

   1. Right-click the Message Hygiene folder and then click Properties.

   2. In the Message Hygiene Properties dialog box, click the Security tab.

   3. This step differs depending on whether the server is a Domain Controller:

      For a Domain Controller, remove NETWORK SERVICE and SYSTEM.

      For a non-Domain Controller, remove the computer account.

   4. Click OK.