The Write DACL for the Exchange Enterprise Servers group should be removed from the root of the domain
Topic Last Modified: 2009-08-12
When you run the Microsoft Exchange Server Analyzer Tool, the tool examines the Exchange topology to determine whether any Exchange Server 2003 or Exchange 2000 servers are present. If the environment was formerly a mixed-mode Exchange organization and if the last Exchange 2003 or Exchange 2000 server has been removed from the organization, the tool generates the following warning message:
The Write DACL inherit (group) right for the Exchange Enterprise Servers group should be removed from the root of the domain.
When you run the Setup /PrepareDomain command with versions of Exchange that are earlier than Exchange 2007 Service Pack 1 (SP1), the Setup program grants all Exchange servers the Modify Permissions right at the root of the domain. This behavior allows for hidden distribution group memberships. However, because Exchange 2007 does not support hidden distribution groups, this right is not required in a pure Exchange 2007 organization. Additionally, the Modify Permissions right lets any user who is a local administrator modify the group membership of any group in any domain in the forest, including the root domain. In a pure Exchange 2007 organization, we recommend that you remove the Modify Permissions right from the Exchange Enterprise Servers group.To remove the Modify Permissions right
Start the Exchange Management Shell.
Run the following command:
Remove-ADPermission "dc=<Domain>" -user "<RootDomain>\Exchange Enterprise Servers" -AccessRights WriteDACL -InheritedObjectType Group