Article ID: 300456 - View products that this article applies to.
This article was previously published under Q300456
This article has been archived. It is offered "as is" and will no longer be updated.
When you try to assign client permissions or delegate access to a mailbox folder, you may experience one or more of the following issues:
This issue occurs if both of the following conditions are true:
To resolve this issue, you must use the Active Directory Users and Computers MMC snap-in to clear the Associated external account attribute from the mailbox. If you clear the Associated external account attribute the msExchMasterAccountSID attribute is also cleared.
Use the Active Directory Users and Computers snap-in to clear the Associated External Account attribute
Clearing the msExchMasterAccountSID attribute for lots of enabled user accountsTo clear the msExchMasterAccountSID attribute for lots of enabled user accounts, you can use the Collaboration Data Objects for Exchange Management (CDOEXM) interface to modify the mailbox security descriptor. Starting with Microsoft Exchange 2000 Server Service Pack 2 (SP2), a new interface is made available in CDOEXM. This interface is named MailboxRights. This exposure lets you modify the mailbox security descriptor programmatically.
For more information about how to script a bulk change of the msExchMasterAccountSid attribute, click the following article number to view the article in the Microsoft Knowledge Base:
322890For additional methods that you can use to remove the msExchMasterAccountSid attribute for lots of enabled user accounts, contact Microsoft Product Support Services. For more information about the support options available from Microsoft, visit the following Microsoft Web site:
(http://support.microsoft.com/kb/322890/ )How to associate an external account with an existing Exchange 2000 mailbox
http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMSTo determine how many enabled user accounts have a value set on the msExchMasterAccountSid attribute, you can generate an LDIF formatting export file. To do this, run the following Ldifde.exe command:
ldifde -f file.txt -d "dc=domain,dc=com" -l nothing -r "(&(objectcategory=person)(objectclass=user)(msexchuseraccountcontrol=0)((msexchmasteraccountsid=*)))"The following list describes the Ldifde parameters:
For more information about how to use Ldifde in Active Directory, click the following article number to view the article in the Microsoft Knowledge Base:
dn: CN=AAA R1,OU=Recipients,DC=domain,DC=com changetype: add dn: CN=AAA R2,OU=Recipients,DC=domain,DC=com changetype: add . . . . .
237677Note We do not recommend that you use the LDIFDE command-line utility or the ADSIEDIT or LDP tools to create, to modify, or to delete the msExchMasterAccountSid attribute.
(http://support.microsoft.com/kb/237677/ )Using LDIFDE to import and export directory objects to Active Directory
In Exchange 2000, a mailbox is an attribute of an Active Directory object; it is not an object in itself. This behavior is different from earlier versions of MicrosoftExchange Server. Therefore, each user object in Active Directory can only be associated with one mailbox. Additionally, each mailbox in the information store must be associated with one object (not necessarily a user) in Active Directory.
When you use the Active Directory Connector (ADC) to populate Active Directory with mailbox information from an existing Exchange Server 5.5 installation, the ADC creates disabled user accounts (by default) for each mailbox in Active Directory. This behavior occurs because each mailbox must be associated with an object in Active Directory, and no user accounts for that mailbox yet exist in Active Directory. The MSExchMasterAccountSID attribute is created on each disabled user account and assigned the SID from the Windows NT 4.0 user account that corresponds to that mailbox.
Note The term "disabled user" refers to users whose credentials do not give them to log on to the domain.