Article ID: 309222 - View products that this article applies to.
This article was previously published under Q309222
When you use the Active Directory Cleanup Wizard (ADClean) to merge the mail attributes from disabled users who were created by the Active Directory Connector (ADC) into enabled users, ADClean preserves the value of the msExchMasterAccountSID attribute from the disabled user and sets this attribute on the enabled user.
The information store does not consider an enabled user who has the msExchMasterAccountSID attribute set to be a valid configuration. This behavior can cause problems with delegate access and public folder permissions when the information store tries to convert a Microsoft Windows NT Security Identifier (SID) to a legacyExchangeDN. Only disabled users should have the msExchMasterAccountSID attribute set.
This problem can occur if ADClean does not check to see if the target account was an enabled or a disabled user.
To resolve this problem, obtain the latest service pack for Microsoft Exchange 2000 Server. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/301378/ )How to obtain the latest Exchange 2000 Server service pack
To work around this problem, use an LDAP tool (such as the ADSIEdit snap-in, the LDP utility, or LDIFDE) to view the msExchMasterAccountSID attribute on a user. To find enabled users who have the msExchMasterAccountSID attribute set, use the following LDAP query:
For more about how to find and correct existing enabled users who have the msExchMasterAccountSID attribute set, see the "More Information" section.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
This problem was first corrected in Microsoft Exchange 2000 Server Service Pack 2.
With the Microsoft Exchange 2000 Service Pack 2 (SP2) version of ADClean, ADClean does not set the msExchMasterAccountSID attribute on the enabled account if the target account is an enabled user.
Use the Active Directory Users and Computers MMC snap-in to clear the Associated external account attribute from the mailbox. If you clear the Associated external account attribute, the msExchMasterAccountSID attribute is also cleared.
Use the Active Directory Users and Computers snap-in to clear the Associated External Account attribute
Clearing the msExchMasterAccountSID attribute for lots of enabled user accountsTo clear the msExchMasterAccountSID attribute for lots of enabled user accounts, you can use the Collaboration Data Objects for Exchange Management (CDOEXM) interface to modify the mailbox security descriptor. Starting with Exchange 2000 Server Service SP2, a new interface is made available in CDOEXM. This interface is named MailboxRights. This exposure lets you modify the mailbox security descriptor programmatically.
For more information about how to script a bulk change of the msExchMasterAccountSid attribute, click the following article number to view the article in the Microsoft Knowledge Base:
322890For additional methods to remove the msExchMasterAccountSid attribute for lots of enabled user accounts, contact Microsoft Product Support Services. For more information about the support options that are available from Microsoft, visit the following Microsoft Web site:
(http://support.microsoft.com/kb/322890/ )How to associate an external account with an existing Exchange 2000 mailbox
http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMSTo determine how many enabled user accounts have a value set on the msExchMasterAccountSid attribute, you can generate an LDIF formatting export file. To do this, run the following Ldifde.exe command:
ldifde -f file.txt -d "dc=domain,dc=com" -l nothing -r "(&(objectcategory=person)(objectclass=user)(msexchuseraccountcontrol=0)((msexchmasteraccountsid=*)))"The following list describes the Ldifde parameters:
For more information about how to use Ldifde in Active Directory, click the following article number to view the article in the Microsoft Knowledge Base:
dn: CN=AAA R1,OU=Recipients,DC=domain,DC=com changetype: add dn: CN=AAA R2,OU=Recipients,DC=domain,DC=com changetype: add . . . . .
237677Note We do not recommend that you use the LDIFDE command-line utility or the ADSIEDIT or LDP tools to create, to modify, or to delete the msExchMasterAccountSid attribute.
(http://support.microsoft.com/kb/237677/ )Using LDIFDE to import and export directory objects to Active Directory