Permissions Inheritance Block on Domain Object

[This topic is intended to address a specific issue called out by the Exchange Server Analyzer Tool. You should apply it only to systems that have had the Exchange Server Analyzer Tool run against them and are experiencing that specific issue. The Exchange Server Analyzer Tool, available as a free download, remotely collects configuration data from each server in the topology and automatically analyzes the data. The resulting report details important configuration issues, potential problems, and nondefault product settings. By following these recommendations, you can achieve better performance, scalability, reliability, and uptime. For more information about the tool or to download the latest versions, see "Microsoft Exchange Analyzers" at]  

Topic Last Modified: 2006-04-13

The Microsoft® Exchange Server Analyzer Tool checks Active Directory® domain objects such as containers and organizational units. If permissions inheritance is blocked in the containers or organizational units, the Exchange Server Analyzer displays an error.

The Exchange Server Analyzer identifies the specific object.

When changes are made to an Active Directory domain object, changes to the access control list (ACL) are overwritten. Even if 'Inherit from parent' is manually enabled, applied inheritance is disabled when changes are applied to the ACL. This condition causes Recipient Update Service (RUS) issues, because RUS does not have the necessary permissions for an Active Directory organizational unit that the accounts reside in.

This behavior can occur if you disabled the Allow inheritable permissions from parent to propagate to this object check box in the Active Directory organizational unit that the accounts reside in.

To resolve the problem, use the Active Directory Users and Computers snap-in or Active Directory Service Interfaces (ADSI) Edit to reestablish inheritable permissions for the organizational unit. Follow the detailed steps under scenario two in the Microsoft Knowledge Base article 254030, "Missing permissions cause the Recipient Update Service not to process accounts in Exchange 2000 Server and Exchange Server 2003" (

For more information about access control lists (ACLs) in Microsoft Windows Server 2003™ Active Directory, see "How Security Descriptors and Access Control Lists Work" (

For more information about permissions inheritance, see "How Permissions Work" (