XADM: Event ID 9554 Appears After You Modify Mailbox Permissions

Symptoms

The following recurring event may appear in the Application Log of the Event Viewer every 30 minutes:

Date: <date> Source: MSExchangeIS
Time: <time> Category: General
Type: Warning Event ID: 9554
User: N/A
Computer: <ServerName>

Description:
Unable to update Mailbox SD in the DS. Mailbox GUID:
f911a4c2-42de-42c1-8d97-abef7766063c. Error Code 0x80040102
Note In the preceding error message, the globally unique identifier (GUID) of the mailbox is a unique 32-character alpha-numeric identifier.

Cause

This behavior may occur after you modify permissions on a mailbox.

Resolution

To resolve this issue, either restore the original permissions to the modified mailbox, or click to select the Allow inheritable permissions from parent to propagate to this object check box on the Security tab of the user account whose mailbox causes this issue. To do this, follow these steps.

Step 1: Locate the mailbox that causes this Issue

In some cases, you may not know which mailbox causes this error. In this case, use the Active Directory Administration Tool (Ldp.exe) to determine which mailbox causes this issue.


WARNING: If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Exchange 2000 Server, or both. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.
  1. Convert the 32-character GUID from the Event ID 9554 description to an msExchMailbox value. To do this, from these steps:
    1. Paste the Mailbox GUID from the Description box of the 9554 Event into Notepad. For example, f911a4c2-42de-42c1-8d97-abef7766063c.

      Note The GUID contains five sections that are separated by hyphens.
    2. On a blank line in Notepad, type the characters from the first section of the GUID (for example, f911a4c2), in two-character portions separated by backslash character, in reversed order. For example: \c2\a4\11\f9.

      Note You must include the initial backslash character.
    3. Type the characters from the second section of the GUID (for example, 42de) in two-character portions separated by backslash characters, in reverse order. For example: \de\42.
    4. Type the characters from the third section of the GUID (for example, 42c1) in two-character portions separated by backslash characters, in reverse order. For example: \c1\42.
    5. Type the characters from the fourth section of the GUID (for example, 8d97) in two-character portions separated by backslash characters. For example: \8d\97.

      Note For this section of the GUID, you do not reverse the order of the two-character sections.
    6. Type the characters from the fifth section of the GUID (for example, abef7766063c) in two-character portions separated by backslash characters. For example: \ab\ef\77\66\06\3c.

      Note For this section of the GUID, you do not reverse the order of the two-character sections.
    7. Add each of the re-typed GUID sections together to form the msExchMailbox value. For example:
      \c2\a4\11\f9\de\42\c1\42\8d\97\ab\ef\77\66\06\3c
    8. On a new line in Notepad, use this new msExchMailbox value to create a msExchMailboxGUID entry similar to the following:
      (msExchMailboxGUID=\c2\a4\11\f9\de\42\c1\42\8d\97\ab\ef\77\66\06\3c)
      Note Include the parentheses in the preceding command.
  2. Start the Active Directory Administration Tool (Ldp.exe).

    Note If the Windows 2000 Support Tools are not installed, install them from the Windows 2000 CD. The file path is Support\Tools\Setup.exe.
  3. On the Connection menu, click Connect.
  4. In the Server box, type the name of a domain controller (DC). Leave the default port selection as 389, unless you have set up your LDAP port configurations differently on the DC, and then click OK.
  5. On the Connection menu, click Bind.
  6. Type the user name, password, and domain information for a user with access to view the Active Directory root tree, and then click OK.
  7. On the View menu, click Tree.
  8. Leave the BaseDN box blank, and then click OK. By default, this switches the focus to the BaseDN of the root Active Directory tree.
  9. Expand the domain container (for example, DC=example,DC=com), right-click the users container, and then click Search.
  10. Copy the new msExchMailboxGUID entry, including the brackets, from Notepad, and paste it into the Filter box, replacing the existing filter.

    Note The Filter box should contain an entry similar to the following:
    (msExchMailboxGUID=\c2\a4\11\f9\de\42\c1\42\8d\97\ab\ef\77\66\06\3c)
  11. Click Subtree, and then click Run.

    Note Do not change the contents of the Base Dn box.

    The mailbox information and the mailbox owner are returned.

Step 2: Change mailbox permissions

  1. Start the ADSIEDIT snap-in. Go to domain partition.
  2. Right-click the user whose permissions you want to change, and then click Properties.
  3. Click the Security tab, click to select the Allow inheritable permissions from parent to propagate to this object check box, and then click OK.

    Note Do not select this check box for the built-in Administrator or for the Domain\Administrator objects.
  4. Quit the Active Directory Users and Computers snap-in.

More Information

For more information about failing to update the mailbox security descriptor in the directory service, visit the following Microsoft Web site:
Properties

Article ID: 322308 - Last Review: Apr 19, 2010 - Revision: 1

Feedback