Project Description
This is a small utility to fix mailbox security descriptors in Microsoft Exchange that have become non-canonical. It must be run on a machine with Exchange System Manager for Exchange 2003 installed, but it will work against mailboxes on 2003 or 2007 (not 2010).

When you run the Add-MailboxPermission cmdlet, you may receive an error stating:

The ACL for the object "CN=User1,CN=Users,DC=contoso,DC=com" is not in canonical order (Deny/Allow/Inherited) and will be ignored.

This tool corrects this problem. It must be run on a machine with the Exchange admin tools for Exchange 2003 installed, because it relies on the interfaces exposed by CDOEXM.

The tool uses CDOEXM from C# to read the MailboxRights object from the IExchangeMailbox interface. It then iterates through the DACL and puts all the ACEs in canonical order, and saves the changes.

This is a command-line tool, and the syntax is quite simple:

FixMailboxSD <DN of mailbox>

For example:

FixMailboxSD "CN=Test 1,OU=Mailboxes,DC=contoso,DC=com"

The tool will display a summary view of the current DiscretionaryAcl, and then show a summary view of the DACL after it has reordered it. It will then save the changes and return to a command prompt.

Last edited Dec 27, 2010 at 5:50 PM by bilong, version 5