Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2005-11-20) What Needs To Be Done Additionally When Disabling A Mailbox Enabled User Account?

Posted by Jorge on 2005-11-20


When using the Associated External Account (AEA) in an account forest and resource forest scenario the account in the resource forest that is mailbox enabled is AD disabled and the account in the account forest is assigned the AEA right on the mailbox. This automagically puts the SID of the account in the account forest in the attribute called "msExchMasterAccountSID" of the account in the resource forest. When an account is AD disabled and mailbox enabled the attribute called "msExchUserAccountControl" will be set to 2. This tells Exchange to use the SID in the attribute called "msExchMasterAccountSID" instead of the objectSID (or sidhistory) of the account in the resource forest (the account that is AD disabled but mailbox enabled)

So if you have a single forest with AD enabled accounts that are mailbox enabled you MUST assign SELF the AEA right after AD disabling the mailbox enabled account. If you do not Exchange does not know what SID to use for delegations, you cannot logon to the mailbox, you cannot move it, mail for the mailbox will generate an NDR, etc.

This is because Exchange sees that the attribute called "msExchUserAccountControl" is set to 2 and the attribute called "msExchMasterAccountSID" has no SID in it. In this situation Exchange also logs errors (event id 9548) in the event log stating the problem and how to solve it.

A tool that can be used to set the AEA right to SELF for setting numerous accounts is the command line version (ADMODCMD) of ADmodify.NET

(http://www.gotdotnet.com/workspaces/workspace.aspx?id=f5cbbfa9-e46b-4a7a-8ed8-3e44523f32e2)

Some information about it can be found in:
MS-KBQ278966_You cannot move or log on to an Exchange resource mailbox (
http://support.microsoft.com/?id=278966)
MS-KBQ272153_Mailbox Rights for New Users Shows Only Self (
http://support.microsoft.com/?id=272153)
MS-KBQ268754_How to Assign Users or Groups Full Access to Other User Mailboxes
(http://support.microsoft.com/?id=268754)
The NoMAS Tool (
http://www.petri.co.il/nomas_tool.htm)
Why is the SELF permission the only permission seen on the Mailbox Rights properties on Exchange 2000/2003 mailboxes? (
http://www.petri.co.il/self_permission_on_exchange_mailboxes.htm)

UPDATE: this behavior has been changed in E2K3 SP2!!! (http://support.microsoft.com/?id=903158)

Some information about it can be found in:

Fix available to alleviate event ID 9548

http://msexchangeteam.com/archive/2006/03/22/42279…

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: