Wednesday, May 06, 2009

Post SBS 2003-2008 Migration DACL Fix

For some reason, the Microsoft SBS 2008 Migration documentation fails to cover the removal of a DACL that's covered in the Exchange 2007 migration documentation.

Basically, after migrating from SBS 2003 to SBS 2008 and removing the Exchange 2003 server from the Exchange organization, you'll need to make one DACL change to remove, as the Exchange 2007 BPA will report, "the Write DACL inherit (group) right for the Exchange Enterprise Servers group... from the root of the domain".

Now, if you were to follow the steps listed in the link inside the Exchange 2007 BPA, you'd never be able to complete this job as it refers to a different group. So what you need to type into Exchange Management Shell, assuming your domain is "example.local", is the following (all on the one line):

Remove-ADPermission "dc=example,dc=local" -user "example.local\Exchange Enterprise Servers" -AccessRights WriteDACL -InheritedObjectType Group

and then confirm the removal when prompted. Unless you receive an error message, the removal has been successful (ie, there is no "successful" message).

Regards,

The Outspoken Wookie

1 comment:

Dust said...

This worked like a charm, thanks!