Exchange Server 5.5 mailbox owner rights are removed when you change the ADC connection agreement from a one-way connection agreement to a two-way connection agreement

Article translations Article translations
Article ID: 317721 - View products that this article applies to.
This article was previously published under Q317721
This article has been archived. It is offered "as is" and will no longer be updated.
Expand all | Collapse all

On This Page

SYMPTOMS

After Active Directory Connector (ADC) replication, users may receive an access denied error message and may no longer able to log on to the Microsoft Exchange Server 5.5 mailbox. If you view the permissions of the mailbox in the Exchange Server 5.5 Exchange Server Administrator program (after you view the rights for roles on the Permissions tab), the mailbox owner right has been removed from the permissions for that account.

CAUSE

This problem may occur if a recipient Connection Agreement that was configured as a one-way Connection Agreement is changed to a two-way Connection Agreement.

RESOLUTION

To resolve this problem, apply the hotfix that is available through this article or the latest service pack and then clean up any accounts that are already affected. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
301378 How to obtain the latest Exchange 2000 Server service pack
To resolve this problem, you have to apply the hotfix listed in this article and clean up any accounts that are already affected. Just applying the hotfix listed in this article does not correct the issue for users who have already replicated to the Active Directory over the one-way Connection Agreement. The fix prevents new users from being stamped incorrectly when replicating to the Active Directory over a one-way Connection Agreement.

If you have already changed the one-way Connection Agreement to a two-way Connection Agreement and permissions have already been removed from the Exchange 5.5 mailboxes, follow the steps in the "Scenario 1" section to resolve this problem. If you have not yet changed the one-way Connection Agreement to two-way, follow the steps in the "Scenario 2" section to clean up the accounts that have replicated through the one-way Connection Agreement to prevent the 5.5 mailbox permissions from being removed when you flip the Connection Agreement to two-way.

Scenario 1

Important Follow these steps in the order that they are listed to make sure that the permissions are not removed again.
  1. Stop the ADC service, and then disable it.
  2. Apply the ADC fix listed at the bottom of the "Resolution" section.
  3. Remove the msExchMailboxSecurityDescriptor attribute from all the users in Active Directory that the one-way Connection Agreement replicated from Exchange Server 5.5 to Active Directory. Make sure you do not remove this attribute from any Exchange 2000 mailboxes. To identify these users and remove the msExchMailboxSecurityDescriptor attribute from many users, use the Ldifde.exe utility to query, and then to modify the user accounts:
    1. Run the following Ldifde.exe command to generate an LDIF export file:
      ldifde -f file_name -d "dc=domain,dc=com" -r "(&(objectCategory=person)(objectClass=user)(msExchMailboxSecurityDescriptor=*))" -l nothing
      The following text is an example of the output file that the command creates:
      dn: CN=UserA,CN=Users,DC=domain,DC=com
      changetype: add
      
      dn: CN=UserB,CN=Users,DC=domain,DC=com
      changetype: add	
    2. Change the export file to look similar to:
      dn: CN=UserA,CN=Users,DC=domain,DC=com
      changetype: modify
      delete: msExchMailboxSecurityDescriptor
      -
      
      dn: CN=UserB,CN=Users,DC=domain,DC=com
      changetype: modify
      delete: msExchMailboxSecurityDescriptor
      -
      
      Each record must be followed by a hyphen and a blank line, including the last record in the file.

      Note You can use the find and replace feature in Microsoft Word to convert the export file to the import file. Make sure that you save the file in plain text format when you finish.

      To use Word to create the import file:
      1. On the Edit menu, click Replace to open the Find and Replace dialog box.
      2. In the Find what box, type:
        ^p^p
        Note Type the caret character (^) followed by a lowercase p, not CTRL+P.

        You can also copy these search strings, and then paste them in the Word Find and Replace dialog box.
      3. In the Replace with box, type:
        ^p-^p^p
        Click Replace All. A hyphen and a blank line are inserted following each record in the file.
      4. In the Find what box, type:
        changetype: add^p
      5. In the Replace with box, type:
        changetype: modify^pdelete: msExchMailboxSecurityDescriptor^p
        Click Replace All.
      6. Either save the file that is generated as plain text, or paste the contents of the file in Microsoft Notepad to visually verify that the formatting matches the previous example.
      7. To import the file, run the following Ldifde command:
        ldifde -i -f file.txt -s domaincontroller
  4. Fix the Exchange Server 5.5 permissions on any affected mailbox by granting the account the mailbox owner right. To do so:
    • Grant the mailbox account the mailbox owner right manually.
    • Restore a copy of the directory that was made before the permissions change.
    • If an export of permissions was done before the permissions change, do a directory import of permissions.

      If an export of permissions before the change is not available, you can do a directory export of all the affected mailboxes and then edit the .csv file by changing the Primary Windows NT Account column header to Obj-Users and import this file back in. This will correct the permissions for the user who is the primary account listed on the mailbox. You must manually fix any other accounts that were added with the User right. For more information about how to export or import mailbox permissions, click the following article number to view the article in the Microsoft Knowledge Base:
      188628 Exporting and importing permissions on objects
      Note You can run a default export of the Exchange 5.5 directory to get all the required header fields. If you do not, for the subsequent import to work, you must export at least the following four header fields, and increment the Object Version value.
      • Obj-Class
      • Directory Name
      • E-mail addresses
      • Primary Windows NT Account
  5. "Touch" all the Exchange Server 5.5 mailboxes where you removed the msExchMailboxSecurityDescriptor attribute from the corresponding user account in Active Directory in step 3. To do so quickly, do a directory export of all the mailboxes in the Exchange Server Administrator program, and then immediately import the export (you do not have to change anything in the export). This export and import increments the Object-Version attribute on all the mailboxes in Exchange Server 5.5.

    The Object-Version attribute must be incremented so that Exchange Server has the newest object change. Because Exchange Server has the newest object change, replication occurs from the Exchange Server side first. This stamps the msExchMailboxSecurityDescriptor attribute correctly. If the Exchange Server side does not have the newest change, replication occurs from Active Directory first (because removing the msExchMailboxSecurityDescriptor attribute in step 3 is considered an object change), and this removes the mailbox owner right again.
  6. Set the ADC service to automatic, and then start the ADC service.
  7. Force a full replication of the recipient Connection Agreement.

Scenario 2

  1. Stop the ADC service, and then disable it.
  2. Apply the ADC fix.
  3. Remove the msExchMailboxSecurityDescriptor attribute from all the users (same as step 3 in the earlier "Scenario 1" section).
  4. Run another ldifde export with the same syntax that you used in the first export and verify that no users show up in this export file. (The export pulls all mailboxes with the msExchMailboxSecurityDescriptor attribute stamped on them so if it was stripped off all the mailboxes correctly in step 3, no mailboxes should show up in the second export.)
  5. Force a full replication of the 1-way Connection Agreement so that the msExchMailboxSecurityDescriptor attribute is restamped on all the Exchange 5.5 mailboxes correctly.
  6. When you are sure that the msExchMailboxSecurityDescriptor attribute has been stamped correctly on all the users, you can flip the 1-way Connection Agreement to a 2-way Connection Agreement. You can verify that all the mailboxes have been restamped correctly by running the same ldifde export that you performed in step 3 and verify that you have the same number of entries that you had in the very first export.

ADC Fix

The English version of this fix has the following file attributes or later:

Component: ADC

Collapse this tableExpand this table
File nameVersion
Adc.exe6.0.5770.45

Note Because of file dependencies, this update requires Microsoft Exchange 2000 Server Service Pack 2.

STATUS

Microsoft has confirmed that this is a problem in Microsoft Exchange 2000 Server. This problem was first corrected in Microsoft Exchange 2000 Server Service Pack 3.

MORE INFORMATION

For more information, click the following article number to view the article in the Microsoft Knowledge Base:
329169 Resolution in article 317721 fails to fix mailbox owner rights removal issue

Properties

Article ID: 317721 - Last Review: October 24, 2013 - Revision: 6.1
APPLIES TO
  • Microsoft Exchange 2000 Server Standard Edition
Keywords: 
kbnosurvey kbarchive kbbug kbexchange2000sp3fix kbfix KB317721

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com