Summary: When accessing a distribution group or mail-enabled security group, you may get an error message, saying “The access control entry defines the ObjectType ‘GUID’ that can't be resolved.” In this post, we will go through this error and see how to resolve it. We will also mention an Exchange repair tool that can help recover database in case it gets corrupted due to any issue.
![[Fixed]: The Access Control Entry defines the ObjectType ‘GUID’ that can’t be Resolved Error in Exchange](https://www.stellarinfo.com/blog/wp-content/uploads/2017/02/free-download-1.png)
A distribution group or distribution list in Exchange Server is a collection of email addresses that are related to a single email address or alias. Such a group allows a user to send emails to multiple users at once by using only a single recipient email address.
Sometimes, when opening the properties of a distribution group or mail-enabled security group, you get an error message, like:
The object removed has been corrupted or isn't compatible with Microsoft support requirements, and it's in an inconsistent state. The following validation errors happened:
The access control entry defines the ObjectType 'a8df73ef-c5ea-11d1-bbcb-0080c76670c0' that can't be resolved."
As you can see, the error message indicates that an item is corrupt or is incompatible with the Microsoft support requirements.
The issue might be related to several groups, one group, or group type. So, you should check if the problem is with a single entity or multiple entities.
The Object Type mentioned in the error message, refers to the Employee-Number in the Active Directory Object schema. To check this,
- Open the ActiveDirectorySchema from the ADSI Edit and connect to the Schema.
- Click on the CN=Schema, CN=Configuration.
- Find and open the entry CN=Employee-Number.
- You will see the Employee Number schemaIDGUID matches the GUID mentioned in the error message.
Note: If you open the distribution group or security group from the Active Directory Users & Computers and check the Attribute Editor, you will not find the attribute.
How to Resolve the ObjectType ‘GUID’ that can’t be Resolved Error in Exchange Server?
The error can occur due to underlying issues with the Internet Information Services (IIS) that might be hindering the connectivity between the Exchange Server and Active Directory. You can try to reset the Internet Information Services. To do so, open an elevated Command Prompt and run the below command.
iisreset
When the services are reset, check if the problem persists.
It is also suggested to restart the actual server and see if the problem still persists.
You can also check the audit log to understand if any changes on the server might have created the issue or are stopping the Exchange Server from showing the properties of the group.
Another option is to check the Active Directory and make sure there are no ‘Denies’. If there are any, you will see the error on the group or groups.
This might happens if there are permission issues on the object or an item in the object. There might also be connectivity issues between the domain controllers or the Exchange Server and the Domain Controller.
To check permissions,
- Open Active Directory Users & Computers, click the View menu, and enable the Advanced Features option.
- Find the group which is causing the issue and open its properties.
- Click on the Security tab and then click on Advanced. In the list of permissions, there should be only active users and groups.
- If you see any unknown accounts (see the below example), remove them. These accounts refer to deleted groups or users and might be causing the issues on the Exchange Server.
Account Unknown (S-1-5-21-#########-#########-#########-1835)
Note: Before doing this, it is strongly recommended to take a backup of the Active Directory domain controller.
Once the unknown accounts are removed and the Active Directory changes are confirmed, try to access the properties of the Exchange Server group.
You can also try to run the setup of the Exchange Server with the Prepare AD parameter. For this, open the Command Prompt and run the below command.
setup.exe /preparead
After this, try to access the properties of the group.
If the problem still persists, then reinstall the Exchange Server. However, this would require a lot of efforts.
Conclusion
“The access control entry defines the ObjectType ‘GUID’ that can’t be resolved” error occurs when accessing the properties of a distribution group. This issue can impact the daily maintenance and jobs on the Exchange Server. Above, we have mentioned some possible solutions to resolve the issue.
During troubleshooting, if anything happens causing damage to the Exchange Server or corrupt the databases, then you need to restore the databases as soon as possible, without any data loss. In such a case, specialized Exchange Recovery Software, such as Stellar Repair for Exchange, can come in handy. With this application, you can open corrupt Exchange Server database of any version of Exchange Server, without any size limitations. You can then export the EDB data to PST and other file formats. You can also use the application to export the data directly to a live Exchange Server database or Exchange Online.
