Every hour around the clock Exchange 2007 logs a Warning, event id 9554 for each user who does not have "Allow inheritable permissions from parent to propagate" checkbox checked. I enabled inheritance for all users who don't belong to SE_DACL_PROTECTED groups, but what should I do with users who belong to SE_DACL_PROTECTED? If i enable inheritance on their accounts, it will get reset next time protection mechanism runs. Disabling the protection mechanism is not something I want to do as described here http://support.microsoft.com/kb/817433

Mail-enabling members of protected groups is not recommended. Exchange 2010 is even pickier about that. Your best option is to either mail-disable those accounts or remove them from the protected groups and re-enable inheritance.

no, none of my admin accounts are mail enabled!

If their inheritance is getting removed then they were members of a protected group at one time. You should check if the AdminCount attribute on their acounts is greater or equal to 1 per that link you posted before and: http://support.microsoft.com/kb/318180 AdminSDHolder Thread Affects Transitive Members of Distribution Groups

i have 20 accounts that belong to one or more protected groups, but have no mailboxes, every time protection mechanism runs i get an event 9554 for each account. so if there is a solution to this problem, it’s 480 events on the exchange box that would not get logged. Thanks

How long ago did you remove their mailboxes?

some of the accounts didn't have mailboxes at all some were removed about 1 year ago

some of the accounts didn't have mailboxes at all some were removed about 1 year ago Should I even see event id 9554 for accounts that DON'T have mailboxes?

Should I even see event id 9554 for accounts that DON'T have mailboxes?