Proabaly being over cautious here but it's one I don't want to do wrong. My Exchange 2007 (migrated from Ex2003) reports thsi error when running the Exchange Best Practice Analyzer: Access control list (ACL) inheritance is blocked for the Exchange Organization object (CN=CHC,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=CHC,DC=LAN). This may cause mail flow problems, store mounting issues and other service outages. Follow Microsoft Knowledge Base article 264733 and use the Exchange System Manager to re-enable inheritance on this object. I know what needs to be done but am I runnign any risk doing this? Exchange works fine as is.

It won't cause any issues, if inheritance has only have been removed. Make sure. no other permission changes have been made , for anyother convenience. Like "deny" for any security group below the "CHC" Open Adsiedit.msc Open Configuration Partition. Just go this location ,, See location from left to right CN=CHC,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=CHC,DC=LAN --Properties of CHC - security - Advanced - Inheritance check should not be there . It will be there for all other objects Satheshwaran Manoharan | Exchange 2003/2007/2010 | Blog:http://www.careexchange.in | Please mark it as an answer if it really helps you

It won't cause any issues, if inheritance has only have been removed. Make sure. no other permission changes have been made , for anyother convenience. Like "deny" for any security group below the "CHC" Open Adsiedit.msc Open Configuration Partition. Just go this location ,, See location from left to right CN=CHC,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=CHC,DC=LAN --Properties of CHC - security - Advanced - Inheritance check should not be there . It will be there for all other objects Satheshwaran Manoharan | Exchange 2003/2007/2010 | Blog:http://www.careexchange.in | Please mark it as an answer if it really helps you

There are a number of explicit DENY permissions, but I don't have another Ex2007 to check them against to swee if they're the 'norm'. I think the reason inheritance was removed was for GFI MailEssentials as there's an account named 'GFI' added at this level, which couldn't have been unless Inheritance was removed. Are these normal permissions at this level?

Hello healthyCamper, I suggest you go to enable inheritance for permissions on Organization object. Here is a related document for you: Permissions inheritance block on configuration object http://technet.microsoft.com/en-us/library/aa998240(EXCHG.80).aspx Thanks, Evan Liu TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Evan Liu TechNet Community Support

How about the issue, any updates? Thanks, Evan Liu TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Evan Liu TechNet Community Support

Hi Evan, Will be doing this weekend to allow back-out time just in case. Not in office this week.

Happy to say my paranoia ill-founded. Change made, server restarted and no issues to report plus a nicer looking ExBPA