A migrated mailbox cannot send on behalf of Exchange Server 5.5 mailboxes in Exchange 2000 Server and in Exchange Server 2003
SYMPTOMSYou migrate a mailbox from Microsoft Exchange Server 5.5 to Microsoft Exchange 2000 Server or to Microsoft Exchange Server 2003. After you do this, that mailbox cannot send on behalf of Exchange Server 5.5 mailboxes. CAUSEThis issue occurs because Exchange Server 5.5 uses the Exchange Server 5.5 object distinguished name to determine permissions
on Exchange Server 5.5 objects.
Therefore, the access control list
uses the Exchange Server 5.5 object distinguished name as the access control entry for
assigned rights when you grant or delegate mailbox access to another account. Exchange Server 5.5 does not use security descriptors (NT Account SIDS) as the access control entry
for delegated rights on mailboxes, or
as the access control entry for public folders.
After you migrate an Exchange Server 5.5 mailbox to a server that is running a later version of Exchange Server, the user account passes its ObjectSID in the access token to Exchange Server 5.5. The user account does this when the user tries to access a public folder or to use a delegated right on an Exchange Server mailbox. Because Exchange Server 5.5 uses the Exchange Server 5.5 object distinguished name to determine permissions on Exchange Server 5.5 objects, the operation fails. WORKAROUNDTo work around this issue, migrate the shared mailbox and the mailboxes that have delegated rights at
the same time to
the server that is running Exchange 2000 Server or Exchange Server 2003. Alternatively, migrate the shared mailbox to the Exchange 2000 Server server or the Exchange Server 2003 server first. Then, move the mailboxes that have delegated rights. MORE INFORMATIONThis issue does not occur when Exchange Server 5.5 mailboxes send on behalf of Exchange 2000 Server or Exchange Server 2003 mailboxes. Exchange 2000 Server and Exchange Server 2003 recognize the object distinguished name. In Exchange 2000 Server and in Exchange Server 2003, the object distinguished name is referred to as the LegacyExchangeDN. Exchange Server queries the Active Directory directory service for the LegacyExchangeDN to determine what the ObjectSID of that account is. Exchange Server then passes the ObjectSID to the mailbox discretionary access control list. If the ObjectSID is listed, it is granted the appropriate access or rights. For more information about how to migrate mailboxes from Exchange Server 5.5, visit the following Microsoft Web sites: http://www.microsoft.com/technet/prodtechnol/exchange/2000/library/mme55e2k.mspx (http://www.microsoft.com/technet/prodtechnol/exchange/2000/library/mme55e2k.mspx)http://technet.microsoft.com/en-us/library/aa996194.aspx (http://technet.microsoft.com/en-us/library/aa996194.aspx)
For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
328871 (http://support.microsoft.com/kb/328871/)
How to use the Exchange Migration Wizard to migrate mailboxes from an Exchange organization
328809 (http://support.microsoft.com/kb/328809/) Migrating mailboxes from an Exchange Server 5.5 organization to a separate Exchange 2000 or Exchange Server 2003 organization
APPLIES TO
| Article Translations
|
| United States | Change | | | All Microsoft Sites |
Help and Support
Back to the top
|
