Article ID: 319047 - View products that this article applies to.
This article was previously published under Q319047
When you try to send an e-mail message to a disabled account in Microsoft Exchange 2000 Server, you may receive a non-delivery report (NDR) similar to the following message:
Your message did not reach some or all of the intended recipients.
The following recipient(s) could not be reached:
Recipient on Date Time
The message reached the recipient's e-mail system, but delivery was refused. Attempt to resend the message. If it still fails, contact your system administrator.
Server Name #5.2.1
This issue occurs because the disabled account does not have the msExchMasterAccountSid attribute. When an account is disabled, this field must be populated with a Windows NT Security Identifier (SID). At a minimum, the well-known SELF SID must be in the attribute.
To work around this issue, enable the disabled account.
Alternatively, to work around this issue if a small number of mailboxes is involved, generate an msExchMasterAccountSid attribute:
To set the msExchMasterAccountSid attribute for many disabled user accounts, you can use the Collaboration Data Objects for Exchange Management (CDOEXM) interface to modify the mailbox security descriptor. Starting with Exchange 2000 Server Service Pack 2 (SP2), a new interface is exposed in CDOEXM. This interface is named MailboxRights. This exposure lets you programmatically modify the mailbox security descriptor. For more information about how to script a bulk change of the msExchMasterAccountSid attribute, click the following article number to view the article in the Microsoft Knowledge Base:
322890For information about other methods that you can use to set the msExchMasterAccountSid attribute for many disabled user accounts, contact Microsoft Product Support Services. For more information about the support options that are available from Microsoft, visit the following Microsoft Web site:
(http://support.microsoft.com/kb/322890/ )How to associate an external account with an existing Exchange 2000 mailbox
http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMSTo determine how many disabled user accounts do not have the msExchMasterAccountSid attribute, you can generate an LDIF formatting export file. To do this, run the following Ldifde.exe command:
ldifde -f file.txt -d "dc=domain,dc=com" -l nothing -r "(&(objectclass=user)(msexchuseraccountcontrol=2)(!msexchmasteraccountsid=*))"The following list describes the LDIFDE parameters:
For more information about how to use LDIFDE in Active Directory, click the following article number to view the article in the Microsoft Knowledge Base:
dn: CN=AAA R1,OU=Recipients,DC=domain,DC=com changetype: add dn: CN=AAA R2,OU=Recipients,DC=domain,DC=com changetype: add . . . . .
237677Note We do not recommend that you use the LDIFDE command-line utility or the ADSIEDIT tool to create, to modify, or to delete the msExchMasterAccountSid attribute. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/237677/ )Using LDIFDE to import and export directory objects to Active Directory
(http://support.microsoft.com/kb/903158/ )A hotfix is available to modify the way that Exchange Server 2003 handles a disabled Active Directory user account that is associated with an Exchange Server 2003 mailbox
Article ID: 319047 - Last Review: December 3, 2007 - Revision: 4.6