Mailbox Mgr Policy Exclusion Not Applied (924258)

SYMPTOMS

You recently created a new Mailbox Manager (MM) policy.
In the past, the MM policy removed deleted items 7 days old from the deleted items folder.
You started a new MM policy over the weekend covering the following folders:
Inbox
Outbox
Sent Items
Deleted Items
You set the new MM policy for 90 days and greater - delete immediately.
You created a subset of users that should have an exclusion to the new MM policy using the following KB article:
288115 How to exclude mailboxes from the Mailbox Manager process
You used this portion of the article:
How to Exclude a Single User from Mailbox Manager
The attribute you are to modify is msExchPoliciesExcluded and the value is {3B6813EC-CE89-42BA-9442-D87D4AA30DBC}
However, the exclusion did not work.

Here are 2 dumps of users that should have been excluded from the Mailbox Manager policy that were not excluded:

Expanding base 'CN=User1,OU=Ouname,DC=domainname,DC=com'... 
3> msExchPoliciesIncluded: 
{DE26F190-3C78-4BDA-9706-0274C2AE4993},{26491CFC-9E50-4857-861B-0CB8DF22B5D7};
{5A6B7EE1-7882-46C5-8A3F-008C9353C401},{3B6813EC-CE89-42BA-9442-D87D4AA30DBC};
{0489756F-AF7D-4F48-8978-8AA56C68A754},{26491CFC-9E50-4857-861B-0CB8DF22B5D7}; 
1> msExchPoliciesExcluded: {3B6813EC-CE89-42BA-9442-D87D4AA30DBC}; 
Expanding base 'CN=User2,OU=Ouname,DC=domainname,DC=com'... 
3> msExchPoliciesIncluded: 
{DE26F190-3C78-4BDA-9706-0274C2AE4993},{26491CFC-9E50-4857-861B-0CB8DF22B5D7};
{5A6B7EE1-7882-46C5-8A3F-008C9353C401},{3B6813EC-CE89-42BA-9442-D87D4AA30DBC}; 
{0489756F-AF7D-4F48-8978-8AA56C68A754},{26491CFC-9E50-4857-861B-0CB8DF22B5D7}; 
1> msExchPoliciesExcluded: {3B6813EC-CE89-42BA-9442-D87D4AA30DBC}

CAUSE

In Exchange 2003, if a Mailbox Manager policy is added to msExchangePoliciesIncluded for all users and some users have the Mailbox Manager Policy added to msExchPoliciesExcluded, then the RUS will remove the Mailbox Manager Policy from msExchangePoliciesIncluded and the users will be excluded from the Mailbox Manager actions.
Mailbox Manager only checks msExchPoliciesIncluded to see if the Mailbox Manager policy is there - and if it is, then the Mailbox Manager policy is applied.
In Exchange 2003 Service Pack 1, a change was made so that when a Mailbox Manager policy is added to msExchangePoliciesIncluded for all users and some users have the Mailbox Manager Policy added to msExchPoliciesExcluded, then the Domain Recipient Update Service (RUS) will leave the Mailbox Manager Policy in msExchangePoliciesIncluded.
Since Mailbox Manager only checks msExchPoliciesIncluded to see if the Mailbox Manager policy is there - and if it is, then the Mailbox Manager policy is applied even though the Mailbox Manager Policy is listed in msExchPoliciesExcluded.
This is what happened in your case - the MM policy {3B6813EC-CE89-42BA-9442-D87D4AA30DBC} is listed in both msExchPoliciesIncluded and in msExchPoliciesExcluded.

RESOLUTION

Apply the following hotfix to each Domain RUS:
883351 When a Mailbox Manager policy is created for one mailbox store and is later changed to use another mailbox store, the policy is applied to both mailbox stores in Exchange Server 2003 SP1
Then the behavior for the RUS reverts back to the original Exchange 2003 behavior.
Note - this hotfix is included in Exchange 2003 Service Pack 2 - so you can either apply the hotfix or apply Exchange 2003 Service Pack 2.
Note: This will not automatically fix the accounts that already have been stamped with merged policies, it will only prevent the problem happening with new users.
To fix the problem with exisiting users, first apply the above hotfix and then touch each of the users that you want to exclude from the Mailbox Manager Policy.
One way to do this is to write a script
1. For example, write a script to remove the Mailbox Manager Policy GUIID from msExchPoliciesExcluded
2. Then re-run a script to re-add the Mailbox Manager Policy GUID to msExchPoliciesExcluded).
3. The RUS should then remove the Mailbox Manager Policy GUID from msExchPoliciesIncluded.
4. If it does, then the RUS is working properly and the user should be excluded from the Mailbox Manager Policy when it runs.
Another way to do this is to right click on each Domain RUS and choose Rebuild.
1. Before Rebuilding the RUS, you must check to make sure that the gatewayProxy attribute is NOT populated on the Domain RUS.
2. If the gatewayProxy attributes not populated, then Rebuild the Domain RUS.
3. If the gatewayProxy attribute is populated, use the following article to remove the values populated in the gatewayProxy attribute:
  821743 The gatewayProxy attribute on the Recipient Update Service object is not cleared
4. Rebuild the RUS.
For further information on the Recipient Update Service (RUS), here are 2 important articles:
328738 How the Recipient Update Service applies recipient policies
822794 How to troubleshoot the Recipient Update Service by using the Application log in Exchange 2000 Server or in Exchange Server 2003
Here are some additional general articles on the RUS
http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3AdminGuide/bf704ad 5-e211-41ce-835f-59b558b6ccca.mspx
http://www.msexchange.org/tutorials/MF017.html

DISCLAIMER

MICROSOFT AND/OR ITS RESPECTIVE SUPPLIERS MAKE NO REPRESENTATIONS ABOUT THE SUITABILITY OF THE INFORMATION CONTAINED IN THE DOCUMENTS AND RELATED GRAPHICS PUBLISHED ON THIS WEBSITE FOR ANY PURPOSE. THE DOCUMENTS AND RELATED GRAPHICS PUBLISHED ON THIS WEBSITE COULD INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS. CHANGES ARE PERIODICALLY ADDED TO THE INFORMATION HEREIN. MICROSOFT AND/OR ITS RESPECTIVE SUPPLIERS MAY MAKE IMPROVEMENTS AND/OR CHANGES IN THE PRODUCT(S) AND/OR THE PROGRAM(S) DESCRIBED HEREIN AT ANY TIME.

For more information on the terms of use, click on the link below:
http://support.microsoft.com/tou/