Problem solve Get help with specific problems with your technologies, process and projects.

Configure Exchange to ignore zombie ACEs and ACLs

Exchange 2003 was designed so it can co-exist with Exchange 5.5. Unfortunately, the complexity of co-existence can create problems with ACEs and ACLs.

Microsoft designed Exchange Server 2003 so it can co-exist with Exchange 5.5 if necessary. Unfortunately, the complexity of co-existence and the vast differences between the two versions can create problems with access control entries (ACE) and access control lists (ACL).

When an Exchange 2003 server is introduced into an Exchange 5.5 organization, the format of all the Exchange 5.5 ACLs and ACEs

is modified in order to make co-existence possible. However, problems can occur if you fail to replicate the entire Exchange 5.5 directory to Active Directory or if you attempt a Directory Service/Information Store consistency adjustment against the Exchange 5.5 organization.

Most of the time, these issues manifest themselves in the form of performance problems or the inability to view public folders homed on a different server than your mailbox. You can usually get past these problems just by cleaning up any inconsistencies that might exist between the Exchange 5.5 directory and Active Directory.

Occasionally, though, you may encounter a more serious ACE and ACL-related problem. I have seen situations in which organizations will either decommission an Exchange 5.5 server or upgrade the server to Exchange 2003 while inconsistencies still exist. This causes an interesting problem, because you can't go back to the Exchange 5.5 server and fix the inconsistencies, since the server no longer exists (at least not in its previous form).

When a situation like this occurs, there are two different ways you can fix the problem. The easiest solution is to convert your Exchange organization to native mode (this is different than converting your Windows domain to native mode). When you convert your Exchange organization to native mode, Exchange will automatically ignore any zombie ACEs and ACLs. The problem is that you can't switch to native mode if you still have any Exchange 5.5 servers in your organization. Furthermore, once you switch to native mode, there is no going back, so you will never be able to join another Exchange 5.5 server to your organization.

The other solution is to create a registry key on your Exchange servers that will make Exchange ignore zombie ACLs and ACEs.

Important: Modifying the registry can be dangerous. An incorrect registry modification can destroy Windows and/or your applications. Perform a full system backup before continuing.

  1. Open the Registry Editor on the server and navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
    [Note: This string is one line with no spaces.]
  2. Next, create a REG_DWORD value named 'Ignore zombie users.'
  3. Finally, assign this registry key a value of 0x1. This will cause zombie ACEs and ACLs to be ignored.

If you ever need Exchange to not ignore zombies for some reason, you can either set the registry key's value to 0x0 or you can delete it completely.

About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Brien has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer he has written for Microsoft, CNET, ZDNet, TechTarget, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at


Is this also applicable for Exchange 2000?
—Jason H.


I'm inclined to think that the procedure will work with Exchange 2000, but I'm not absolutely positive.
—Brien M. Posey, tip author

Do you have comments on this tip? Let us know.

Please let others know how useful this tip was via the rating scale below. Do you know a helpful Exchange Server, Microsoft Outlook or SharePoint tip, timesaver or workaround? Email the editors to talk about writing for

Dig Deeper on Legacy Exchange Server versions

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.