Event ID 9548 & System Performance

Have you ever disabled a Windows account when an employee has left your company, only to see the following event ID logged by Exchange 200x?

Event ID 9548

It can also occur on the disabled Windows accounts that the ADC creates.

Well, if you're like me, you would have merely thought this to be nothing more than annoying. As it happens, there's more to this error than meets the eye. First, let's take a look at why this error is logged. We'll then go on to talk about why this error can cause you problems you might not have expected it to.

Event 9548 is just an indicator but it does tell you what the problem is - the account listed in the event text does not have a master account SID. What does that mean? Well, the method used to grant permissions in Exchange 200x information store Access Control Lists (ACLs) varies depending on whether the Windows account is enabled or disabled.

* Disabled Windows account permissions are calculated by using the msExchMasterAccountSID attribute.

* Enabled Windows account permissions are calculated by using the objectSID or sidHistory attributes.

If a disabled Windows account does not have the msExchMasterAccountSID attribute set, the 9548 event ID may be logged under certain conditions. The logging of this event ID can easily be fixed by granting the SELF account the Associated External Account right to the mailbox. This is fully documented in MSKB 278966.

Merely ensuring that event ID 9548 isn't logged in the application event log for cosmetic purposes isn't the only reason you should set the SELF account with Associated External Account rights. Every time this event is logged (and remember there is one per disabled account) you are contributing to a possible performance problem with your Exchange server. This is because one of the Information Store threads will hang trying to resolve the disabled user account that is more than likely listed somewhere in an ACL on another object. In other words, every time someone tries to access an ACL that contains the disabled user account, there will be a performance hit whilst the Information store tries to determine who the disabled user really is.

This may not be a problem on smaller systems but Microsoft PSS has already seen numerous cases where resolving the 9548 event IDs has resolved system performance problems. The message here is loud and clear: don't let event ID 9548 multiply and go unnoticed on your system, as it will eventually show as reduced system performance.

Account Deleted on November 3, 2003 at 12:37 AM in Useful Info
« Outlook 2003 Add-in - Video Email | Main | Exchange 2003 Tools Descriptions »

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d8345191a569e200e5501fbfb78833

Listed below are links to weblogs that reference Event ID 9548 & System Performance:

Comments

Nice tip, just what I was looking for! :)

One question though; Does it not have any security consequences when one changes the msExchMasterAccountSIDs to the SID belonging to SELF?

Posted by: Mikkel Nielsen at Nov 6, 2003 5:01:00 AM

No security consequences as far as I know. This is because SELF is nothing more than a placeholder for the actual object itself. For example, giving SELF permissions for Fred's mailbox is the same as giving Fred access to Fred's mailbox, if you see what I mean. Hope this helps!

Posted by: Neil Hobson at Nov 11, 2003 1:09:13 AM

Awesome tip guys, it was an amazing help. Also a note to add:
I only experienced this problem with newly created accounts and mailboxes directly on the exchange 2003 box. My migrated boxes from 5.5 to 2003 were not affected. I would create a new user in AD, create a mailbox for that account on the Ex2003 box, and then diable the account. I would get undeliverable messages to that account until I set the permissions for SELF as specified in the article. So not only does this Event ID cause performance issues, it also causes mail delivery issues, since our company uses the disabled user account method of allowing users to have multiple mailboxes. If this sounds confusing let me know, and I'll try to make more sense for you :)

Posted by: David Fike at Dec 16, 2003 4:50:57 PM

Glad to hear it helped. :-)

I expect your migrated accounts weren't affected because you probably used the ADC to create disabled accounts. This process automatically sets the Assosicated External Account right.

Posted by: Neil Hobson at Dec 17, 2003 1:56:50 AM

Can this error effect the "Recipient Update Services" from updating?
The user that is getting this warning is SystemMailbox

Posted by: James Marcus at Dec 28, 2003 3:52:48 PM

So if we had, say 300 of these, is there an easy way to bulk add rights to mailboxes to members of a certain OU? for example, we can use pfadmin on public folders to export and import public folder permissions directly to the objects.

I'd like to do that with all the users -- add the 'self' object.

Posted by: Wayne Hall at May 2, 2004 10:52:28 AM

Great entry! Just ran across this issue today. This was actually preventing access to the mailbox using the "Open Other Users Folder" command. I set the permissions for self and it resolved it! Thanks a bunch!

Posted by: MichaelE at May 4, 2004 4:47:42 AM

Hello All,

This is great stuff. My question is, how do you stop the 9548 event from occuring when you have already deleted the AD account?

Posted by: Tyrone at Sep 9, 2004 7:16:27 AM

As above - How do you contain the problem. This just started happening on my network today. We have very high turn over here and this could quickly become a major pain.

Posted by: Erik at Sep 15, 2004 8:34:19 AM

I noticed that SELF already has full mailbox access and its still logging 9548. whats up with that?

Posted by: sonny at Sep 16, 2004 8:18:33 AM

I also have this event in my logs, but the accounts listed already have the correct permissions for SELF. Any other ideas?

Posted by: john at Sep 30, 2004 5:55:24 AM

What? Did I miss something? So, how do you fix this issue?

Posted by: james brady at Nov 15, 2004 9:10:24 AM

I am getting this message. However, like Tyrone, the account in question has already been deleted. Thus I cannot correct the permissions on the account. How do I fix this message for an AD account that is deleted.

Posted by: Steven Pena at Nov 16, 2004 8:53:19 AM

We had an account disabled by accident so when we enabled we got this message and no one has access to the mailbox anymore, how do I fix that? I have tried the self thing and it doesn't seem to work.

Posted by: Jim Kiddoo at Dec 22, 2004 4:01:57 PM