You receive a non-delivery report when you send a message to a disabled account
The following recipient(s) could not be reached:
Recipient on Date Time
The message reached the recipient's e-mail system, but delivery was refused. Attempt to resend the message. If it still fails, contact your system administrator.
Server Name #5.2.1
Alternatively, to work around this issue if a small number of mailboxes is involved, generate an msExchMasterAccountSid attribute:
- On the View menu in the Active Directory Users and Computers snap-in, click Advanced Features.
- On the Exchange Advanced properties tab of the disabled user object that owns the mailbox, click Mailbox Rights, and then search the list of accounts for one that has the Associated External Account permission.
- If no account has this permission, grant the SELF Account, Associated External Account, and Full Mailbox Access permissions.
Note The SELF account is available in all Microsoft Windows 2000 domains. All SELF accounts share a well-known SID that is the same across all domains. If the SELF account is not already listed in the Permissions dialog box, you can add it by typing SELF as the account name.
- If the SELF account or another account currently has Associated External Account permissions, remove the Associated External Account permissions from that account.
Only one account at a time can have the Associated External Account permission. Therefore, to reset the permission, you must first remove this permission.
- Exit all properties dialog boxes for the user object. To do this, click OK at each level. Do not click Cancel.
Changes to permissions are not applied until you exit all properties dialog boxes.
- After the DsAccess cache is refreshed, the new configurations take effect. E-mail messages that are sent to the disabled account no longer generate NDRs.
To set the msExchMasterAccountSid attribute for many disabled user accounts, you can use the Collaboration Data Objects for Exchange Management (CDOEXM) interface to modify the mailbox security descriptor. Starting with Exchange 2000 Server Service Pack 2 (SP2), a new interface is exposed in CDOEXM. This interface is named MailboxRights. This exposure lets you programmatically modify the mailbox security descriptor. For more information about how to script a bulk change of the msExchMasterAccountSid attribute, click the following article number to view the article in the Microsoft Knowledge Base:
- -f: This switch indicates the export destination file.
- -d: This switch indicates the Microsoft Windows domain from which to export user objects. For example, if the Active Directory Users and Computers management console for the domain lists the domain as corp.company.com, it would become "dc=corp,dc=company,dc=com".
- -l: This switch, if it is used, restricts the output to the export file of only the attributes that are enumerated by the switch. In this case, the non-existent attribute nothing is used so that only object names and not attributes are generated.
- -r: This switch indicates the LDAP search filter by using the standard LDAP query syntax. You can also use this search string with Ldp.exe and other LDAP tools. In this case, the search is for all the user objects that are disabled (msExchMasterAccountControl value of 2) and that do not have an msExchMasterAccountSid attribute.
dn: CN=AAA R1,OU=Recipients,DC=domain,DC=comchangetype: add dn: CN=AAA R2,OU=Recipients,DC=domain,DC=comchangetype: add. . . . .For more information about how to use LDIFDE in Active Directory, click the following article number to view the article in the Microsoft Knowledge Base:
Article ID: 319047 - Last Review: 12/03/2007 04:28:00 - Revision: 4.6
- kbprb KB319047