To work around this issue, enable the disabled account.
Alternatively, to work around this issue if a small number of mailboxes is involved, generate an msExchMasterAccountSid
- On the View menu in the Active Directory Users and Computers snap-in, click Advanced Features.
- On the Exchange Advanced properties tab of the disabled user object that owns the mailbox, click Mailbox Rights, and then search the list of accounts for one that has the Associated External Account permission.
- If no account has this permission, grant the SELF Account, Associated External Account, and Full Mailbox Access permissions.
Note The SELF account is available in all Microsoft Windows 2000 domains. All SELF accounts share a well-known SID that is the same across all domains. If the SELF account is not already listed in the Permissions dialog box, you can add it by typing SELF as the account name.
- If the SELF account or another account currently has Associated External Account permissions, remove the Associated External Account permissions from that account.
Only one account at a time can have the Associated External Account permission. Therefore, to reset the permission, you must first remove this permission.
- Exit all properties dialog boxes for the user object. To do this, click OK at each level. Do not click Cancel.
Changes to permissions are not applied until you exit all properties dialog boxes.
- After the DsAccess cache is refreshed, the new configurations take effect. E-mail messages that are sent to the disabled account no longer generate NDRs.
You can use Lightweight Directory Access Protocol (LDAP) tools such as the ADSI Edit snap-in, the LDP utility, or Ldifde.exe to view the attributes of the user object and verify that the msExchMasterAccountSid
attribute has been created. Because of directory replication and Exchange cache refresh latencies, you may have to wait up to two hours after you make the change before you can move the mailbox.
To set the msExchMasterAccountSid
attribute for many disabled user accounts, you can use the Collaboration Data Objects for Exchange Management (CDOEXM) interface to modify the mailbox security descriptor. Starting with Exchange 2000 Server Service Pack 2 (SP2), a new interface is exposed in CDOEXM. This interface is named MailboxRights. This exposure lets you programmatically modify the mailbox security descriptor. For more information about how to script a bulk change of the msExchMasterAccountSid attribute, click the following article number to view the article in the Microsoft Knowledge Base:
How to associate an external account with an existing Exchange 2000 mailbox
For information about other methods that you can use to set the msExchMasterAccountSid
attribute for many disabled user accounts, contact Microsoft Product Support Services. For more information about the support options that are available from Microsoft, visit the following Microsoft Web site:
To determine how many disabled user accounts do not have the msExchMasterAccountSid
attribute, you can generate an LDIF formatting export file. To do this, run the following Ldifde.exe command:
ldifde -f file.txt -d "dc=domain,dc=com" -l nothing -r "(&(objectclass=user)(msexchuseraccountcontrol=2)(!msexchmasteraccountsid=*))"
The following list describes the LDIFDE parameters:
- -f: This switch indicates the export destination file.
- -d: This switch indicates the Microsoft Windows domain from which to export user objects. For example, if the Active Directory Users and Computers management console for the domain lists the domain as corp.company.com, it would become "dc=corp,dc=company,dc=com".
- -l: This switch, if it is used, restricts the output to the export file of only the attributes that are enumerated by the switch. In this case, the non-existent attribute nothing is used so that only object names and not attributes are generated.
- -r: This switch indicates the LDAP search filter by using the standard LDAP query syntax. You can also use this search string with Ldp.exe and other LDAP tools. In this case, the search is for all the user objects that are disabled (msExchMasterAccountControl value of 2) and that do not have an msExchMasterAccountSid attribute.
The following text is an example of the output file:
dn: CN=AAA R1,OU=Recipients,DC=domain,DC=comchangetype: add dn: CN=AAA R2,OU=Recipients,DC=domain,DC=comchangetype: add. . . . .
For more information about how to use LDIFDE in Active Directory, click the following article number to view the article in the Microsoft Knowledge Base:
Using LDIFDE to import and export directory objects to Active Directory
We do not recommend that you use the LDIFDE command-line utility or the ADSIEDIT tool to create, to modify, or to delete the msExchMasterAccountSid
attribute. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
A hotfix is available to modify the way that Exchange Server 2003 handles a disabled Active Directory user account that is associated with an Exchange Server 2003 mailbox