We are in the process of migrating from Groupwise to Exchange 2007. Part of our migration process calls for using the Microft Connector for Novell Groupwise, which requires Exchange 2003. We already had installed 2007, so we uninstalled it and installed 2003. Now we are having some issues with the Recipient Update Service. When we try to create an exchange account for any user, we get an error:"Event Type: WarningEvent Source: MSExchangeALEvent Category: Address List Synchronization Event ID: 8317Date: 2/5/2010Time: 12:11:39 PMUser: N/AComputer: NWC-EXCH2Description:The service could not update the entry 'CN=Exchange-User,OU=TestOU,DC=northwood,DC=local' because inheritable permissions may not have propagated completely down to this object yet. The inheritance time may vary depending on the number of Active Directory objects within the domain and also the load of your domain controllers. To correct this problem, verify that the Exchange permissions have been propagated to this object and then force a rebuild for the Recipient Update Service on this domain. DC=northwood,DC=local And the user account doesn't appear to be created. Is there a rollback document that explains how to revert permissions to how they were before installing EXchange 2007?

“Exchange 2007 has a new predefined Exchange Administrator role called Exchange Recipient Administrators. This role contains permissions to manage the e-mail attributes of all users. Exchange administrators who are members of the Exchange Recipient Administrators role can manage only users' e-mail properties. To enable this functionality, Exchange 2007 must move some e-mail attributes of users into a property set called the "Exchange-Information property set." Exchange does this by redefining the attribute schemas in Active Directory when importing the new Exchange 2007 schema. However, the legacy EES group does not have permissions to the Exchange-Information property set. Therefore, when you import the new Exchange 2007 schema, the Recipient Update Service will no longer have permissions to the users' e-mail attributes and will stop functioning correctly” ---------Refer to <Preparing Legacy Exchange Permissions> For the RUS to function correctly again, the Exchange Enterprise Servers group must be granted the following rights at the domain level (you can check these rights by doing a 'DSACLS "DC=domain,DC=com"': ============================== Allow DOMAIN\Exchange Enterprise Servers SPECIAL ACCESS for Personal Information WRITE PROPERTY Allow DOMAIN\Exchange Enterprise Servers SPECIAL ACCESS for Public Information WRITE PROPERTY Allow DOMAIN\Exchange Enterprise Servers SPECIAL ACCESS for Exchange Information WRITE PROPERTY Allow DOMAIN\Exchange Enterprise Servers SPECIAL ACCESS for groupType WRITE PROPERTY Allow DOMAIN\Exchange Enterprise Servers SPECIAL ACCESS for displayName WRITE PROPERTY Allow DOMAIN\Exchange Enterprise Servers SPECIAL ACCESS LIST CONTENTS Allow DOMAIN\Exchange Enterprise Servers SPECIAL ACCESS READ PERMISSONS Allow DOMAIN\Exchange Enterprise Servers Manage Replication Topology ============================== Once you have determined which permissions are missing, you can add them back using DSACLS. For example: Dsacls "dc=domain,dc=com" /I:T /G "DOMAIN\Exchange Enterprise Servers:WP;Exchange Information;" Notes: You can substitute 'Exchange Information' for any other missing write permission. The full list of commands to add back permissions is as follows: Dsacls "dc=domain,dc=com" /I:T /G "DOMAIN\Exchange Enterprise Servers:WP;Personal Information;" Dsacls "dc=domain,dc=com" /I:T /G "DOMAIN\Exchange Enterprise Servers:WP;Public Information;" Dsacls "dc=domain,dc=com" /I:T /G "DOMAIN\Exchange Enterprise Servers:WP;Exchange Information;" Dsacls "dc=domain,dc=com" /I:T /G "DOMAIN\Exchange Enterprise Servers:WP;groupType;" Dsacls "dc=domain,dc=com" /I:T /G "DOMAIN\Exchange Enterprise Servers:WP;displayName;" Dsacls "dc=domain,dc=com" /I:T /G "DOMAIN\Exchange Enterprise Servers:LC" Dsacls "dc=domain,dc=com" /I:T /G "DOMAIN\Exchange Enterprise Servers:RC" Dsacls "dc=domain,dc=com" /I:T /G "DOMAIN\Exchange Enterprise Servers:CA;Manage Replication Topology" You may also run into a situation where the DSACLS command fails to correctly add the permission, and the following error is reported: No GUID Found for Exchange Information The parameter is incorrect. If this occurs, you must re-run Setup /PrepareLegacyExchangePermissions, and Setup /PrepareAD from the Exchange 2007 CD, and then attempt to run the DSACLS command again Resources: Prepare Legacy Exchange 2003 Permissions Exchange 2007 Server Setup Permissions ReferenceJames Luo TechNet Subscriber Support (http://technet.microsoft.com/en-us/subscriptions/ms788697.aspx) If you have any feedback on our support, please contact tngfb@microsoft.com