The Active Directory Cleanup Wizard sets the "msExchMasterAccountSID" attribute on the enabled users in Exchange 2000

Article translations Article translations
Article ID: 309222 - View products that this article applies to.
This article was previously published under Q309222
Expand all | Collapse all

On This Page

SYMPTOMS

When you use the Active Directory Cleanup Wizard (ADClean) to merge the mail attributes from disabled users who were created by the Active Directory Connector (ADC) into enabled users, ADClean preserves the value of the msExchMasterAccountSID attribute from the disabled user and sets this attribute on the enabled user.

The information store does not consider an enabled user who has the msExchMasterAccountSID attribute set to be a valid configuration. This behavior can cause problems with delegate access and public folder permissions when the information store tries to convert a Microsoft Windows NT Security Identifier (SID) to a legacyExchangeDN. Only disabled users should have the msExchMasterAccountSID attribute set.

CAUSE

This problem can occur if ADClean does not check to see if the target account was an enabled or a disabled user.

RESOLUTION

To resolve this problem, obtain the latest service pack for Microsoft Exchange 2000 Server. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
301378 How to obtain the latest Exchange 2000 Server service pack

WORKAROUND

To work around this problem, use an LDAP tool (such as the ADSIEdit snap-in, the LDP utility, or LDIFDE) to view the msExchMasterAccountSID attribute on a user. To find enabled users who have the msExchMasterAccountSID attribute set, use the following LDAP query:
(&(objectclass=user)(msExchUserAccountControl=0)(msExchMasterAccountSID=*))
				

For more about how to find and correct existing enabled users who have the msExchMasterAccountSID attribute set, see the "More Information" section.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
This problem was first corrected in Microsoft Exchange 2000 Server Service Pack 2.

MORE INFORMATION

With the Microsoft Exchange 2000 Service Pack 2 (SP2) version of ADClean, ADClean does not set the msExchMasterAccountSID attribute on the enabled account if the target account is an enabled user.

Use the Active Directory Users and Computers MMC snap-in to clear the Associated external account attribute from the mailbox. If you clear the Associated external account attribute, the msExchMasterAccountSID attribute is also cleared.

Use the Active Directory Users and Computers snap-in to clear the Associated External Account attribute

  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. Click View, and then make sure that there is a check mark in the Advanced Features check box. See commente Advanced Features check box does not have a check mark, click to select the Advanced Features check box.

    Note A check mark in the Advanced Features box means that this feature is turned on.
  3. In the folder tree, click Users.
  4. In the right pane, find the user account that you want to change, and then click Properties.
  5. Click the Exchange Advanced tab, and then click Mailbox Rights.
  6. Under Name, view each entry. Find the account that has the Allow check box selected for Associated external account, and then click to clear the Allow check box.

Clearing the msExchMasterAccountSID attribute for lots of enabled user accounts

To clear the msExchMasterAccountSID attribute for lots of enabled user accounts, you can use the Collaboration Data Objects for Exchange Management (CDOEXM) interface to modify the mailbox security descriptor. Starting with Exchange 2000 Server Service SP2, a new interface is made available in CDOEXM. This interface is named MailboxRights. This exposure lets you modify the mailbox security descriptor programmatically.

For more information about how to script a bulk change of the msExchMasterAccountSid attribute, click the following article number to view the article in the Microsoft Knowledge Base:
322890 How to associate an external account with an existing Exchange 2000 mailbox
For additional methods to remove the msExchMasterAccountSid attribute for lots of enabled user accounts, contact Microsoft Product Support Services. For more information about the support options that are available from Microsoft, visit the following Microsoft Web site:
http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS
To determine how many enabled user accounts have a value set on the msExchMasterAccountSid attribute, you can generate an LDIF formatting export file. To do this, run the following Ldifde.exe command:
ldifde -f file.txt -d "dc=domain,dc=com" -l nothing -r "(&(objectcategory=person)(objectclass=user)(msexchuseraccountcontrol=0)((msexchmasteraccountsid=*)))"
The following list describes the Ldifde parameters:
  • -f: This switch indicates the export destination file.
  • -d: This switch indicates the Microsoft Windows domain from which to export user objects. For example, if the Active Directory Users and Computers management console for the domain lists the domain as corp.company.com, it would become "dc=corp,dc=company,dc=com".
  • -l: This switch, if it is used, restricts output to the export file of only the attributes enumerated by the switch. In this case, the non-existent attribute nothing is used so that only object names, not attributes, are generated.
  • -r: This switch indicates the LDAP search filter by using the standard LDAP query syntax. You can also use this search string with Ldp.exe and other LDAP tools. In this case, the search is for all user objects that are enabled (msExchMasterAccountControl value of 0) and that have a value set for the msExchMasterAccountSID attribute.
The following text is an example of the output file:
dn: CN=AAA R1,OU=Recipients,DC=domain,DC=com
changetype: add
 
dn: CN=AAA R2,OU=Recipients,DC=domain,DC=com
changetype: add

. . . . .
				
For more information about how to use Ldifde in Active Directory, click the following article number to view the article in the Microsoft Knowledge Base:
237677 Using LDIFDE to import and export directory objects to Active Directory
Note We do not recommend that you use the LDIFDE command-line utility or the ADSIEDIT or LDP tools to create, to modify, or to delete the msExchMasterAccountSid attribute.

Properties

Article ID: 309222 - Last Review: February 28, 2007 - Revision: 2.3
APPLIES TO
  • Microsoft Exchange 2000 Server Standard Edition
Keywords: 
kbbug kbexchange2000sp2fix kbfix KB309222

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com