HallooI have exchange 2007 server sp1 installed on win2k3 r2 sp1. through AD, there are unknown user accounts listed in the mail box rights list?How could I remove them ... they are inherited.. also.. I can see such account when I open the "Manage Full Access permission" in Exchange console. I can remove them from "Manage Full Access permission"… but they returned back. And from AD, I could not stop inherited permission.. It is not located there when I press advanced button. In security tab, in Ad and for user properties, I don’t see such unknown accounts, while the inheritance there is not active. Your help is highly appreciated

On Wed, 3-Feb-10 10:38:23 GMT, Qadous wrote:>>>HallooI have exchange 2007 server sp1 installed on win2k3 r2 sp1. through AD, there are unknown user accounts listed in the mail box rights list?How could I remove them ... they are inherited.. also.. I can see such account when I open the "Manage Full Access permission" in Exchange console. >>I can remove them from "Manage Full Access permission"? but they returned back. >>And from AD, I could not stop inherited permission.. It is not located there when I press advanced button. >>In security tab, in Ad and for user properties, I don?t see such unknown accounts, while the inheritance there is not active. Use ADSIEDIT to locate the object from which those SIDs are inheritedand remove them from there.---Rich MatheisenMCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

thank you Rich actually I remove all “account unknown” from the domain partition for all above parents and exchange organization ,but I still I see the unknown accounts in "manage full access permission" in Management consol

On Sat, 6-Feb-10 08:55:46 GMT, Qadous wrote:>>>thank you Rich actually I remove all ?account unknown? from the domain partition for all above parents and exchange organization ,but I still I see the unknown accounts in "manage full access permission" in Management consol Are the ones that remain inherited? If so you've missed something.From the description you just gave I think you may not be looking inthe right place, though.Use ADSI and connect to the Configuration naming context. Thennavigate to:CN=<ORGNAME>,CN=MicrosoftExchange,CN=Services,CN=Configuration,DC=<DOMAIN>,DC=<TLD>---Rich MatheisenMCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

I'm so thankful Rich...really.. I removed most of the account unknown accounts but still there are few accounts.However, could you help me by telling the reason behind "account unknown".Is there any harmful in windows systems result from account unknown ... security? Performance? Errors?It will be better if you send me any Microsoft site links to explain more.Thank you Rich

On Sun, 7-Feb-10 05:54:35 GMT, Qadous wrote:>I'm so thankful Rich...really.. I removed most of the account unknown accounts but still there are few accounts.However, could you help me by telling the reason behind "account unknown".It's pretty simple -- you deleted the account from the directorybefore you removed it from all the places it was used in ACLs. It's apretty common occurance and one of the reasons why it's better to usesecurity groups for granting/denying access to objects.>Is there any harmful in windows systems result from account unknown ... security?There's no security risk since those SIDs no longer exist in the AD.You may be questioned about your security practices during an audit,though.>Performance?Well, slightly. The size of the ACL can become larger than necessary,but under most situations I don't think you'd notice.>Errors?None.>It will be better if you send me any Microsoft site links to explain more.Thank you Rich I think you're probably capable of using any number of search enginesto find those yourself.---Rich MatheisenMCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

thank you sir