MORE INFORMATION

How to add the "Ignore zombie users" registry key

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk. To add the Ignore zombie users registry key, do the following:

1. Start Registry Editor.
2. Locate and then click the following key in the registry:

   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\ParametersSystem

3. On the Edit menu, click Add Value, and then add the following registry key and information:
   • Value name: Ignore zombie users
   • Data type: REG_DWORD
   • Radix: Hexadecimal
   • Value data: Set the value to 0x1 if you want to ignore zombie users; set the value to 0x0 if you do not want to ignore zombie users. If you leave this value empty, zombie users are not ignored.
4. Quit Registry Editor.

Behavior before Exchange 2000 Server Service Pack 1 (SP1)

If Exchange 2000 Server SP1 has not been installed, Zombie users may cause problems if the ACL is upgraded from Exchange Server 5.5 to match the NTDS format that is used in Exchange 2000 Server.

Exchange 2000 Server tries to upgrade the ACL each time that the ACL has to be evaluated. If Exchange 2000 Server encounters a zombie user during the upgrade, the upgrade does not work. However, the-old style ACL still exists on the folder, the permissions are not lost forever, and Exchange 2000 Server will try to upgrade the ACL again the next time that Exchange 2000 accesses the ACL. Zombie users can create a variety of issues, depending upon how many exist in the environment.

For example, if a user account is missing from the Active Directory when the hierarchy replicates to Exchange 2000 Server, the store process cannot match the user's DN to a valid Active Directory account. Because of this, Exchange 2000 Server fails the ACL conversion, and only the owner of the public folder is granted access to the folder until the zombie issues with the folder are resolved. This occurs every time the ACLs on a folder are evaluated, regardless of whether the folder has had its ACLs successfully upgraded in the past.

Public folder behavior after Exchange 2000 Server SP1

If you have Exchange 2000 Server SP1 or later installed, the ACL upgrade is more lenient. If the user account is missing from the Active Directory when the hierarchy replicates to Exchange 2000 Server, Exchange 2000 Server may no longer fail the ACL conversion and remove everyone except the owner, depending on whether the folder has had its ACL successfully upgraded before.

• If the folder has never had its ACL completely and successfully upgraded before, the behavior is the same as it is in the retail, released version. All users are removed whether they are zombies and will be unable to access the folder. Only the owner can access the folder.
• If the folder has had its ACL completely and successfully upgraded before, any new zombies on the folder's ACL will not cause all users except the owners to be removed from the ACL. The zombies are ignored. Exchange tries to add the zombie to the ACL when the zombie can be identified in the Active Directory.

Behavior after Exchange Service Pack 3 and hotfix

When you install Service Pack 3 and the following hotfix in Exchange 2000 Server, Exchange skips and removes user accounts (zombies) that are not represented in Active Directory from the access control list (ACL) of mailboxes and public folders. This behavior occurs if either of the following conditions exist:

• The Exchange organization is in Native mode. Because there are no more Exchange Server 5.5 servers, the organization, replication latency, and related items are not a problem. All zombies can safely be ignored.
• The Ignore zombie users registry key is set while in Mixed mode. This forces the ACL upgrade to succeed, even though there may be zombies because of replication latency. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

  324323 Skipping user accounts that are not represented in Active Directory during access control list conversion

  When you use this hotfix, there is no requirement to set the Ignore Zombie Users registry key.

Use the Ignore zombie users registry key only when you are sure that the unused access control entries or zombie users are not the result of replication issues, such as latency. After you set this registry key to ignore zombie users, every zombie user account that Exchange 2000 Server encounters is removed from the ACL. If the user is valid but is not in Active Directory at the time that the ACL was upgraded, the user is removed, and you have to manually add the user to each ACL.

Determine why ACL conversions fail

If you are having ACL conversion failures, find out why the conversations are failing, and then take steps to remove unused access control entries from your Exchange Server 5.5 Public Folders. To do this, use any of the following methods:

• Make sure that there are no replication problems with the ADC.
• Remove the unused access control entries by running the DS/IS consistency adjuster in the Exchange Server 5.5 Administrator program. Only remove the unknown permissions from mailboxes and public folders. Selecting the other options in the consistency adjuster can cause unwanted effects, such as re-homing public folders.
• Use the NTDSNoMatch utility to control how the ADC matches the mailboxes to Active Directory user accounts. For more information about the NTDSNoMatch utility, click the following article number to view the article in the Microsoft Knowledge Base:

  274173 Documentation for the NTDSNoMatch utility

• Use the DNDeadlist registry key to remove specific, known zombie users. For more information about the DNDeadlist registry key, click the following article number to view the article in the Microsoft Knowledge Base:

  318549 Migrated Exchange Server 5.5 mailboxes generate event ID 9551 warning messages for the ACL

When you use these methods, you will have no requirement for the Ignore zombie users registry key.

The "Ignore zombie users" registry key

If you still cannot remove the unused access control entries from your Exchange Server 5.5 public folders, you may decide to use the Ignore zombie users key. Before you use the Ignore zombie users key, you must understand the effects that the key may have. When the Exchange Server 5.5 ACL public folder hierarchy replicates to Exchange 2000 Server, the following steps occur:

1. The ACL data is stored as a list of a distinguished names (DNs) that identify where the objects reside in the overall object hierarchy.
2. The Exchange 2000 Server store process uses LDAP to cross-match each DN ACE with an NtSid:
   • If all DNs can be matched, the whole ACL can be promoted into a property named NTSD.
   • However, if any of the DNs cannot be found in the Active Directory, the ACL conversion process fails for that particular folder. Each time a user or the administrator enumerates the folder, the ACL conversion process starts again. This can result in delays opening the public folder.

An example using the "Ignore zombie users" registry key

The following example shows how the Ignore zombie users registry key can have unexpected results when a DN cannot be matched in the ACE, and the ACL conversion process fails:

In Exchange Server 5.5, a public folder has the following permissions set:

• TestUser - Deny all
• Exchange Admins - Read/Write

TestUser's effective permissions are Deny all. Individual permissions take precedence over group permissions.

Compare the following scenarios that may occur in this example:

• If the TestUser account is missing from the Active Directory when the hierarchy replicates to Exchange 2000 Server, the store process cannot match TestUser's DN to a valid Active Directory account. Because of this, in the default mode, Exchange 2000 Server fails the ACL conversion and only the owner of the public folder is granted access to the folder.
• If you use the Ignore zombie users value on the Exchange 2000 Server computer, the store will convert as many ACEs that it can, and will ignore and remove any zombies from the ACL. Default permissions are granted, but the "Deny" permissions that were applied to TestUser are ignored, so TestUser now has the default "Read/Write" permissions to the public folder.
  

Also, when a change occurs to the Exchange 2000 Server public folder, the ACL is replicated back to Exchange Server 5.5, so TestUser has "Read/Write" access to the public folder in Exchange Server 5.5.

As this example shows, using the Ignore zombie users value on the Exchange 2000 Server computer can have unexpected results.

When to use the "Ignore zombie users" registry key

There are situations where the Ignore zombie users may be useful. For example, you may consider using the Ignore zombie users in the following situations:

• If you have cleaned up all multiple mailbox mappings by using the NTDSNoMatch utility, and the zombies are deleted Exchange Server 5.5 users who do not have logon access.
• DLs or Universal Security Groups in the Active Directory have been used to set the ACLs on a folder. Because of this, if a user is not replicated correctly, the user's group membership permissions take effect.
• The content in the public folder is not confidential or sensitive.

The Ignore zombie users registry key also applies to Microsoft Exchange Server 2003. However, the NTDSNoMatch utility that is mentioned in this article is replaced by the ADC Tools Step 3: Resource Mailbox Wizard in Exchange Server 2003.