Proabaly being over cautious here but it's one I don't want to do wrong. My Exchange 2007 (migrated from Ex2003) reports thsi error when running the Exchange Best Practice Analyzer:
Access control list (ACL) inheritance is blocked for the Exchange Organization object (CN=CHC,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=CHC,DC=LAN). This may cause mail flow problems, store mounting issues and other service outages. Follow Microsoft
Knowledge Base article 264733 and use the Exchange System Manager to re-enable inheritance on this object.
I know what needs to be done but am I runnign any risk doing this?

Exchange works fine as is.

There is an amazing pack of free network admin tools. click here to download it

It won't cause any issues, if inheritance has only have been removed.
Make sure. no other permission changes have been made , for anyother convenience.
Like "deny" for any security group below the "CHC"
Open Adsiedit.msc
Open Configuration Partition. Just go this location ,,
See location from left to right
CN=CHC,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=CHC,DC=LAN
--Properties of CHC - security - Advanced - Inheritance check should not be there .

It will be there for all other objects
Satheshwaran Manoharan | Exchange 2003/2007/2010 | Blog:
http://www.careexchange.in
| Please mark it as an answer if it really helps you

Need to support users over the internet? click here try our remote control online beta

It won't cause any issues, if inheritance has only have been removed.
Make sure. no other permission changes have been made , for anyother convenience.
Like "deny" for any security group below the "CHC"
Open Adsiedit.msc
Open Configuration Partition. Just go this location ,,
See location from left to right
CN=CHC,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=CHC,DC=LAN
--Properties of CHC - security - Advanced - Inheritance check should not be there .

It will be there for all other objects
Satheshwaran Manoharan | Exchange 2003/2007/2010 | Blog:
http://www.careexchange.in
| Please mark it as an answer if it really helps you

Need to support users over the internet? click here try our remote control online beta

There are a number of explicit DENY permissions, but I don't have another Ex2007 to check them against to swee if they're the 'norm'. I think the reason inheritance was removed was for GFI MailEssentials as there's an account named 'GFI' added at this
level, which couldn't have been unless Inheritance was removed.


Are these normal permissions at this level?

There is an amazing pack of free network admin tools. click here to download it

Hello healthyCamper,
I suggest you go to enable inheritance for permissions on Organization object.
Here is a related document for you:
Permissions inheritance block on configuration object

http://technet.microsoft.com/en-us/library/aa998240(EXCHG.80).aspx

Thanks,

Evan Liu

TechNet Subscriber Support in forum
If you have any feedback on our support, please contact

tngfb@microsoft.com Evan Liu
TechNet Community Support

Need to support users over the internet? click here try our remote control online beta

How about the issue, any updates?

Thanks,

Evan Liu

TechNet Subscriber Support in forum
If you have any feedback on our support, please contact

tngfb@microsoft.com Evan Liu
TechNet Community Support

There is an amazing pack of free network admin tools. click here to download it

Hi Evan, Will be doing this weekend to allow back-out time just in case. Not in office this week.

Need to support users over the internet? click here try our remote control online beta

Happy to say my paranoia ill-founded. Change made, server restarted and no issues to report plus a nicer looking ExBPA

There is an amazing pack of free network admin tools. click here to download it