Article ID: 300456 - Last Review: February 28, 2007 - Revision: 3.3

Client permissions and delegations do not persist after being assigned in Exchange 2000

View products that this article applies to.
System TipThis article applies to a different operating system than the one you are using. Article content that may not be relevant to you is disabled.
This article was previously published under Q300456

On This Page

Expand all | Collapse all

SYMPTOMS

When you try to assign client permissions or delegate access to a mailbox folder, you may experience one or more of the following issues:
  • When you add a user on the Permissions tab of the PublicFolder Properties dialog box (where PublicFolder is the name of the folder to which you have added the user), the user appears to be added successfully, but then disappears from the Name list.
  • When you assign security permissions to certain folders in Active Directory, the permissions appear to be assigned successfully. However, these permissions are missing the next time that you view the Security tab of the FolderName Properties dialog box, where FolderName is the name of the folder to which you have assigned the permissions.
  • When you try to assign a user permissions to a folder in your mailbox, the user who you added disappears when you click Apply or OK.
Back to the top

CAUSE

This issue occurs if both of the following conditions are true:
  • The user to which you are trying to assign permissions is an enabled user.
  • The user to which you are trying to assign permissions has the msExchMasterAccountSID attribute defined.
The information store does not consider an enabled user who has the msExchMasterAccountSID attribute set to be a valid configuration. This behavior may cause problems with delegate access and public folder permissions when the information store tries to convert a Microsoft Windows NT Security Identifier (SID) to legacyExchangeDN. Only disabled users should have the msExchMasterAccountSID attribute set.
Back to the top

RESOLUTION

To resolve this issue, you must use the Active Directory Users and Computers MMC snap-in to clear the Associated external account attribute from the mailbox. If you clear the Associated external account attribute the msExchMasterAccountSID attribute is also cleared.
Back to the top

Use the Active Directory Users and Computers snap-in to clear the Associated External Account attribute

  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. Click View, and then make sure that there is a check mark in the Advanced Features check box. If the Advanced Features check box does not have a check mark, click to select the Advanced Features check box.

    Note A check mark in the Advanced Features box means that this feature is turned on.
  3. In the folder tree, click Users.
  4. In the right pane, find the user account that you want to change, and then click Properties.
  5. Click the Exchange Advanced tab, and then click Mailbox Rights.
  6. Under Name, view each entry. Find the account that has the Allow check box selected for Associated external account, and then click to clear the Allow check box.
Back to the top

Clearing the msExchMasterAccountSID attribute for lots of enabled user accounts

To clear the msExchMasterAccountSID attribute for lots of enabled user accounts, you can use the Collaboration Data Objects for Exchange Management (CDOEXM) interface to modify the mailbox security descriptor. Starting with Microsoft Exchange 2000 Server Service Pack 2 (SP2), a new interface is made available in CDOEXM. This interface is named MailboxRights. This exposure lets you modify the mailbox security descriptor programmatically.

For more information about how to script a bulk change of the msExchMasterAccountSid attribute, click the following article number to view the article in the Microsoft Knowledge Base:
322890  (http://support.microsoft.com/kb/322890/ ) How to associate an external account with an existing Exchange 2000 mailbox
For additional methods that you can use to remove the msExchMasterAccountSid attribute for lots of enabled user accounts, contact Microsoft Product Support Services. For more information about the support options available from Microsoft, visit the following Microsoft Web site:
http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS (http://support.microsoft.com/default.aspx?scid=fh;en-us;cntactms)
To determine how many enabled user accounts have a value set on the msExchMasterAccountSid attribute, you can generate an LDIF formatting export file. To do this, run the following Ldifde.exe command:
ldifde -f file.txt -d "dc=domain,dc=com" -l nothing -r "(&(objectcategory=person)(objectclass=user)(msexchuseraccountcontrol=0)((msexchmasteraccountsid=*)))"
The following list describes the Ldifde parameters:
  • -f: This switch indicates the export destination file.
  • -d: This switch indicates the Microsoft Windows domain from which to export user objects. For example, if the Active Directory Users and Computers management console for the domain lists the domain as corp.company.com, it would become "dc=corp,dc=company,dc=com".
  • -l: This switch, if it is used, restricts output to the export file of only the attributes enumerated by the switch. In this case, the non-existent attribute nothing is used so that only object names, not attributes, are generated.
  • -r: This switch indicates the LDAP search filter by using the standard LDAP query syntax. You can also use this search string with Ldp.exe and other LDAP tools. In this case, the search is for all user objects that are enabled (msExchMasterAccountControl value of 0) and that have a value set for the msExchMasterAccountSID attribute.
The following text is an example of the output file: 
dn: CN=AAA R1,OU=Recipients,DC=domain,DC=com
changetype: add
 
dn: CN=AAA R2,OU=Recipients,DC=domain,DC=com
changetype: add

. . . . .
For more information about how to use Ldifde in Active Directory, click the following article number to view the article in the Microsoft Knowledge Base:
237677  (http://support.microsoft.com/kb/237677/ ) Using LDIFDE to import and export directory objects to Active Directory
Note We do not recommend that you use the LDIFDE command-line utility or the ADSIEDIT or LDP tools to create, to modify, or to delete the msExchMasterAccountSid attribute.
Back to the top

MORE INFORMATION

In Exchange 2000, a mailbox is an attribute of an Active Directory object; it is not an object in itself. This behavior is different from earlier versions of MicrosoftExchange Server. Therefore, each user object in Active Directory can only be associated with one mailbox. Additionally, each mailbox in the information store must be associated with one object (not necessarily a user) in Active Directory.

When you use the Active Directory Connector (ADC) to populate Active Directory with mailbox information from an existing Exchange Server 5.5 installation, the ADC creates disabled user accounts (by default) for each mailbox in Active Directory. This behavior occurs because each mailbox must be associated with an object in Active Directory, and no user accounts for that mailbox yet exist in Active Directory. The MSExchMasterAccountSID attribute is created on each disabled user account and assigned the SID from the Windows NT 4.0 user account that corresponds to that mailbox.

Note The term "disabled user" refers to users whose credentials do not give them to log on to the domain.
Back to the top
APPLIES TO
  • Microsoft Exchange 2000 Server Standard Edition
  • Microsoft Outlook 2002 Standard Edition
Back to the top
Keywords: 
kbprb KB300456
Back to the top