How to associate an external account with an existing Exchange 2000 mailbox


This article demonstrates how to associate an external account with an Exchange 2000 mailbox.

The following conditions must exist:
  • The external account must be a Windows NT user or a user in an Active Directory that is in a different forest from where the Exchange 2000 server resides.
  • There must be a trust between the domain where the NT or Active Directory user object resides and the domain where the Exchange user object resides.
To do this, you must modify attributes on a mailbox-enabled user object in the Active Directory by specifying the external account as its Master Account.

To associate an external account with a mailbox

To programmatically associate an external account with an Exchange 2000 mailbox, follow these steps:

  1. Create a mailbox-enabled user account in the Windows 2000/Exchange 2000 domain (if the account is not already created).

    Note After you create this user account, you must disable this user account.
  2. Create a user account in either a trusted Windows NT 4 domain or in a trusted Active Directory forest (if an account is not already created).
  3. On the mailbox-enabled user account that you created in step 1, set the msExchMasterAccountSID attribute to the security identifier (in its raw mode) of the NT 4 or Active Directory user.
  4. On the mailbox-enabled user account that you created in step 1, modify the security descriptor to add an access control entry (ACE) with the trustee set to the external NT or Active Directory account, and with rights to Read, Associated External Account, and Full Mailbox Access.

Code sample requirements

  • You must run the code on an Exchange 2000 SP2 server or on an Exchange 2000 SP1 server with hotfix
    302926 You cannot programmatically change mailbox rights

  • You must register the ADsSecurity.dll file on the system that is executing the script.

    To obtain the most current version of ADsSecurity.dll, install the most current version of the Microsoft Platform Software Development Kit (SDK) and use RegSvr32 (command: regsvr32 adssecurity.dll) to register the .dll file.

Code sample

The following code sample demonstrates this process:

'* Function AddAce(dacl, TrusteeName, gAccessMask, gAceType,
'* gAceFlags, gFlags, gObjectType, gInheritedObjectType)
'* Purpose: Adds an ACE to a DACL
'* Input: dacl Object's Discretionary Access Control List
'* TrusteeName SID or Name of the trustee user account
'* gAccessMask Access Permissions
'* gAceType ACE Types
'* gAceFlags Inherit ACEs from the owner of the ACL
'* gFlags ACE has an object type or inherited object type
'* gObjectType Used for Extended Rights
'* gInheritedObjectType
'* Output: Object - New DACL with the ACE added

Function AddAce(dacl, TrusteeName, gAccessMask, gAceType, gAceFlags, gFlags, gObjectType, gInheritedObjectType)
' Bubble Error to Calling Function
'On Error Resume Next
Dim Ace1
' Add new ACE.
Set Ace1 = CreateObject("AccessControlEntry")
Ace1.AccessMask = gAccessMask
Ace1.AceType = gAceType
Ace1.AceFlags = gAceFlags
Ace1.Flags = gFlags
Ace1.Trustee = TrusteeName
'Determine whether ObjectType has to be set
If CStr(gObjectType) <> "0" Then
Ace1.ObjectType = gObjectType
End If

'Determine whether InheritedObjectType has to be set.
If CStr(gInheritedObjectType) <> "0" Then
Ace1.InheritedObjectType = gInheritedObjectType
End If
dacl.AddAce Ace1

' Kill objects.
Set Ace1 = Nothing
End Function

'* Function ReorderACL(objDACL)
'* Purpose: Reorders a DACL properly
'* Input: objDACL Access Control List (Object)
'* Output: Object - Reordered DACL

Function ReorderACL(objDACL, bMakeExplicit)
' Dim objects.
Dim ImpDenyDacl, ImpDenyObjectDacl, InheritedDacl, ImpAllowDacl, ImpAllowObjectDacl
Dim objSD, newDACL
' Dim other variables.
Dim ace

' Set constants.

' Create the new DACL.
Set objSD = CreateObject("SecurityDescriptor")

' Create the ACL objects.
Set newDACL = CreateObject("AccessControlList")
Set ImpDenyDacl = CreateObject("AccessControlList")
Set ImpDenyObjectDacl = CreateObject("AccessControlList")
Set InheritedDacl = CreateObject("AccessControlList")
Set ImpAllowDacl = CreateObject("AccessControlList")
Set ImpAllowObjectDacl = CreateObject("AccessControlList")

' Loop through the original DACL.
For Each ace In objDACL
If bMakeExplicit Then
ace.AceFlags = ace.AceFlags Xor ADS_ACEFLAG_INHERITED_ACE
End If
' The order of inherited ACEs does not matter. Because you are
' adding them to the top of a new list, when they are added back
' to the DACL for the object, they will be in the same order as
' originally. This is a positive side affect of addin items or a LIFO
' (Last In First Out) type list'
InheritedDacl.AddAce ace
End If
' You have an implicit ACE; it belongs in the correct pool.
Select Case ace.AceType
ImpAllowDacl.AddAce ace
ImpDenyDacl.AddAce ace
ImpAllowObjectDacl.AddAce ace
ImpDenyObjectDacl.AddAce ace
Case Else
'Bad Ace, but let's just leave it out for now.
End Select
' Combine the ACEs in the proper order.
' Implicit Deny
' Implicit Deny Object
' Implicit Allow
' Implicit Allow Object
' Inherited ACEs
' Implicit Deny
For Each ace In ImpDenyDacl
newDACL.AddAce ace

' Implicit deny object.
For Each ace In ImpDenyObjectDacl
newDACL.AddAce ace

' Implicit allow.
For Each ace In ImpAllowDacl
newDACL.AddAce ace

' Implicit allow object.
For Each ace In ImpAllowObjectDacl
newDACL.AddAce ace

' Inherited ACEs.
For Each ace In InheritedDacl
newDACL.AddAce ace

'Set the Appropriate revision level for the DACL.
newDACL.AclRevision = objDACL.AclRevision

' Return properly ordered DACL.
Set ReorderACL = newDACL

' Kill objects.
Set newDACL = Nothing
Set InheritedDacl = Nothing
Set ImpAllowObjectDacl = Nothing
Set ImpAllowDacl = Nothing
Set ImpDenyObjectDacl = Nothing
Set ImpDenyDacl = Nothing
Set objSD = Nothing
End Function
Private Sub Command1_Click()
Dim objUser As IADsUser
Dim oSID As New ADsSID
Dim RawSID
Dim oSecurityDescriptor As New SecurityDescriptor
Dim dacl As New AccessControlList
Dim ace As New AccessControlEntry
' You have to change these variables according to your environment.
' This is the external account.
sWinNTPath_Ext_Account = "WinNT://NTDomainName/NTDomainUser"<BR/>
' This is the external account.
sAssocNTAccount = "NTDomainName\NTDomainUser"
' This is the Windows 2000 mailbox-enabled object (Exchange mailbox).
sEx2kMbxPath = "LDAP://Win2KDC/CN=testarticle,cn=users,DC=MyWin2KDomain,DC=com"
' Get directory user object.
Set objUser = GetObject(sEx2kMbxPath)
' User ADsSecurity.dll to determine the user's SID from the NT domain.
oSID.SetAs ADS_SID_WINNT_PATH, sWinNTPath_Ext_Account
' Set msExchMasterAccountSID.
' This is the same task that is performed by ADUnC when checking the "Associated External Account" check box.
' Under the Mailbox Rights in the Exchange Advanced tab on the properties of a user.
objUser.Put "msExchMasterAccountSID", RawSID

Set oSecurityDescriptor = objUser.MailboxRights
On Error Resume Next
Set oSecurityDescriptor = objUser.Get("msExchMailboxSecurityDescriptor")
If (Err) Then
Debug.Print "The msExchMailboxSecurityDescriptor attribute is empty."
Debug.Print "Hence this user's mailbox does not have any mailbox rights set on it."
Debug.Print "Error (" & Err.Number & "): " & Err.Description
Exit Sub
End If
' Extract the discretionary access control list (ACL) using the IADsSecurityDescriptor interface.
Set dacl = oSecurityDescriptor.DiscretionaryAcl
Debug.Print "Here are the existing ACEs the mailbox's DACL - "
' Enumerate all the access control entries (ACEs) in the ACL using the IADsAccessControlList interface.
' Hence displaying the current mailbox rights.
For Each ace In dacl
' Display all the ACEs' properties using the IADsAccessControlEntry interface.
Debug.Print ace.Trustee & ", " & ace.AccessMask & ", " & ace.AceType & ", " & ace.AceFlags & ", " & ace.Flags & ", " & ace.ObjectType & ", " & ace.InheritedObjectType
' Adding a new ACE for Full Control to allow "Full Control" for the external account over this mailbox.
' This is the same task that is performed by ADUnC when checking the "Full Control" Rights check box.
' Under the Mailbox Rights in the Exchange Advanced tab on the properties of a user.
' Reorder ACEs in the DACL.
Set dacl = ReorderACL(dacl, True)
' Add new DACL to the Security Descriptor.
oSecurityDescriptor.DiscretionaryAcl = dacl
' Save new SD onto the user.
objUser.MailboxRights = Array(oSecurityDescriptor)
MsgBox "Done"
End Sub


For more information about how to do this by using the Exchange System Manager, click the following article number to view the article in the Microsoft Knowledge Base:

278888 How to associate an Exchange 2000 mailbox or an Exchange 2003 mailbox with a Windows NT 4.0 account