The following recipient(s) could not be reached:
Recipient on Date Time
The message reached the recipient's e-mail system, but delivery was refused. Attempt to resend the message. If it still fails, contact your system administrator.
Server Name #5.2.1
Alternatively, to work around this issue if a small number of mailboxes is involved, generate an msExchMasterAccountSid attribute:
- On the View menu in the Active Directory Users and Computers snap-in, click Advanced Features.
- On the Exchange Advanced properties tab of the disabled user object that owns the mailbox, click Mailbox Rights, and then search the list of accounts for one that has the
Associated External Account permission.
- If no account has this permission, grant the SELF Account, Associated External Account, and
Full Mailbox Access permissions.
Note The SELF account is available in all Microsoft Windows 2000 domains. All SELF accounts share a well-known SID that is the same across all domains. If the SELF account is not already listed in the
Permissions dialog box, you can add it by typing
SELF as the account name.
- If the SELF account or another account currently has
Associated External Account permissions, remove the
Associated External Account permissions from that account.
Only one account at a time can have the Associated External Account permission. Therefore, to reset the permission, you must first remove this permission.
- Exit all properties dialog boxes for the user object. To do this, click OK at each level. Do not click
Changes to permissions are not applied until you exit all properties dialog boxes.
- After the DsAccess cache is refreshed, the new configurations take effect. E-mail messages that are sent to the disabled account no longer generate NDRs.
To set the msExchMasterAccountSid attribute for many disabled user accounts, you can use the Collaboration Data Objects for Exchange Management (CDOEXM) interface to modify the mailbox security descriptor. Starting with Exchange 2000 Server Service Pack 2 (SP2), a new interface is exposed in CDOEXM. This interface is named MailboxRights. This exposure lets you programmatically modify the mailbox security descriptor.
For more information about how to script a bulk change of the msExchMasterAccountSid attribute, click the following article number to view the article in the Microsoft Knowledge Base:
- -f: This switch indicates the export destination file.
- -d: This switch indicates the Microsoft Windows domain from which to export user objects. For example, if the Active Directory Users and Computers management console for the domain lists the domain as
corp.company.com, it would become "dc=corp,dc=company,dc=com".
- -l: This switch, if it is used, restricts the output to the export file of only the attributes that are enumerated by the switch. In this case, the non-existent attribute nothing is used so that only object names and not attributes are generated.
- -r: This switch indicates the LDAP search filter by using the standard LDAP query syntax. You can also use this search string with Ldp.exe and other LDAP tools. In this case, the search is for all the user objects that are disabled (msExchMasterAccountControl value of 2) and that do not have an msExchMasterAccountSid attribute.
For more information about how to use LDIFDE in Active Directory, click the following article number to view the article in the Microsoft Knowledge Base:
dn: CN=AAA R1,OU=Recipients,DC=domain,DC=com
dn: CN=AAA R2,OU=Recipients,DC=domain,DC=com
. . . . .
Article ID: 319047 - Last Review: Dec 2, 2007 - Revision: 1