This article was previously published under Q316754
This article has been archived. It is offered "as is" and will no longer be updated.
After you migrate user accounts and mailboxes from a Microsoft Windows NT 4.0 and Microsoft Exchange Server 5.5 topology to a Microsoft Windows 2000 and Exchange 2000 environment, permissions may no longer function properly. Permissions may be displayed in the following format (where DOMAIN-NAME is the name of the Windows NT 4.0 domain):
This problem may occur if the Windows 2000 Active Directory-based user account is a disabled account. When you move the mailbox from Exchange Server 5.5 to Exchange 2000, the Exchange information store access control entries (ACE) are not updated to reflect that the user now resides in Active Directory (instead of the Windows NT 4.0 domain). If you subsequently use a tool such as the Active Directory Cleanup Wizard to merge this disabled account with an enabled account, the information store tries to use the value that is stored in the objectSid attribute. However, because the ACE in the information store still points to a Windows NT 4.0 security descriptor (in the sidHistory attribute), the ACE cannot be resolved and displays the following:
To resolve this problem, obtain the latest service pack for Microsoft Exchange 2000 Server. For additional information, click the following article number to view the article in theMicrosoft Knowledge Base:
301378 XGEN: How to Obtain the Latest Exchange 2000 Server Service Pack
The English version of this fix should have the following file attributes or later:
Component: Information store
Microsoft has confirmed that this is a problem in Microsoft Exchange 2000 Server. This problem was first corrected in Microsoft Exchange 2000 Server Service Pack 3.