The Write DACL for the Exchange Enterprise Servers group should be removed from the root of the domain

[This topic is intended to address a specific issue called out by the Exchange Server Analyzer Tool. You should apply it only to systems that have had the Exchange Server Analyzer Tool run against them and are experiencing that specific issue. The Exchange Server Analyzer Tool, available as a free download, remotely collects configuration data from each server in the topology and automatically analyzes the data. The resulting report details important configuration issues, potential problems, and nondefault product settings. By following these recommendations, you can achieve better performance, scalability, reliability, and uptime. For more information about the tool or to download the latest versions, see "Microsoft Exchange Analyzers" at]  

Topic Last Modified: 2009-08-12

When you run the Microsoft Exchange Server Analyzer Tool, the tool examines the Exchange topology to determine whether any Exchange Server 2003 or Exchange 2000 servers are present. If the environment was formerly a mixed-mode Exchange organization and if the last Exchange 2003 or Exchange 2000 server has been removed from the organization, the tool generates the following warning message:

The Write DACL inherit (group) right for the Exchange Enterprise Servers group should be removed from the root of the domain.

When you run the Setup /PrepareDomain command with versions of Exchange that are earlier than Exchange 2007 Service Pack 1 (SP1), the Setup program grants all Exchange servers the Modify Permissions right at the root of the domain. This behavior allows for hidden distribution group memberships. However, because Exchange 2007 does not support hidden distribution groups, this right is not required in a pure Exchange 2007 organization. Additionally, the Modify Permissions right lets any user who is a local administrator modify the group membership of any group in any domain in the forest, including the root domain. In a pure Exchange 2007 organization, we recommend that you remove the Modify Permissions right from the Exchange Enterprise Servers group.

To remove the Modify Permissions right

  1. Start the Exchange Management Shell.

  2. Run the following command:

    Remove-ADPermission "dc=<Domain>" -user "<RootDomain>\Exchange Enterprise Servers" -AccessRights WriteDACL -InheritedObjectType Group

For More Information

For more information about the Remove-ADPermission cmdlet, see the "Remove-ADPermission" topic (