XADM: Skipping User Accounts That Are Not Represented in Active Directory During Access Control List Conversion (324323)

IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry

SYMPTOMS

This article describes a fix that you can use to skip and remove user accounts that are not represented in Active Directory from the access control list (ACL) of mailboxes and public folders when you upgrade Microsoft Exchange Server version 5.5 to Exchange 2000.

In an environment that is mixed (contains Exchange Server 5.5 and Exchange 2000) or an environment that was previously mixed, the ACL of mailboxes and public folders may contain user accounts that are not represented in Active Directory. Such users are "zombie" users.

Zombie users may cause a problem if the ACL from Exchange Server 5.5 is upgraded to match the NTDS format that is used in Exchange 2000. Exchange 2000 tries to upgrade the ACL each time that the ACL has to be evaluated. If Exchange 2000 encounters a zombie user during the upgrade, the upgrade does not work. Exchange 2000 tries to upgrade the ACL again the next time that Exchange 2000 accesses the ACL. Zombie users can lead to a range of issues, depending upon how prevalent they are in the environment.

If you have already migrated all of your accounts or are in the process of finalizing your migration to Exchange 2000, you may not be able to move mailboxes back to Exchange Server 5.5 to run the DS/IS consistency adjuster.

RESOLUTION

To resolve this problem, obtain the latest service pack for Microsoft Exchange 2000 Server. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

301378 XGEN: How to Obtain the Latest Exchange 2000 Server Service Pack

Component: Information store

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

   Date          Time    Version       Size        File name
   ---------------------------------------------------------
   12-JUL-2002   17:08   6.0.5771.28   4,547,136   Store.exe

NOTE: Because of file dependencies, this update requires Microsoft Exchange 2000 Server Service Pack 2.

MORE INFORMATION

To use this fix, you have to add and set the Ignore zombie users value. Use this registry value only when you are sure that the zombie users are not the result of replication issues, such as latency. After you set this registry value to ignore zombie users, every zombie user account that Exchange 2000 encounters is removed from the ACL. If the user is valid but is not in Active Directory at the time that the ACL was upgraded, the user is removed, and you have to manually add the user to each ACL.

To add the Ignore zombie users value, you have to edit the registry.

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

To add the Ignore zombie users value: