You are currently offline, waiting for your internet to reconnect

How to associate an external account with an existing Exchange 2000 mailbox

This article demonstrates how to associate an external account with an Exchange 2000 mailbox.

The following conditions must exist:
  • The external account must be a Windows NT user or a user in an Active Directory that is in a different forest from where the Exchange 2000 server resides.
  • There must be a trust between the domain where the NT or Active Directory user object resides and the domain where the Exchange user object resides.
To do this, you must modify attributes on a mailbox-enabled user object in the Active Directory by specifying the external account as its Master Account.

To associate an external account with a mailbox

To programmatically associate an external account with an Exchange 2000 mailbox, follow these steps:
  1. Create a mailbox-enabled user account in the Windows 2000/Exchange 2000 domain (if the account is not already created).

    Note After you create this user account, you must disable this user account.
  2. Create a user account in either a trusted Windows NT 4 domain or in a trusted Active Directory forest (if an account is not already created).
  3. On the mailbox-enabled user account that you created in step 1, set the msExchMasterAccountSID attribute to the security identifier (in its raw mode) of the NT 4 or Active Directory user.
  4. On the mailbox-enabled user account that you created in step 1, modify the security descriptor to add an access control entry (ACE) with the trustee set to the external NT or Active Directory account, and with rights to Read, Associated External Account, and Full Mailbox Access.

Code sample requirements

  • You must run the code on an Exchange 2000 SP2 server or on an Exchange 2000 SP1 server with hotfix
    302926 You cannot programmatically change mailbox rights
  • You must register the ADsSecurity.dll file on the system that is executing the script.

    To obtain the most current version of ADsSecurity.dll, install the most current version of the Microsoft Platform Software Development Kit (SDK) and use RegSvr32 (command: regsvr32 adssecurity.dll) to register the .dll file.

Code sample

The following code sample demonstrates this process:
'********************************************************************'*'* Function AddAce(dacl, TrusteeName, gAccessMask, gAceType,'*            gAceFlags, gFlags, gObjectType, gInheritedObjectType)'*'* Purpose: Adds an ACE to a DACL'* Input:       dacl            Object's Discretionary Access Control List'*              TrusteeName     SID or Name of the trustee user account'*              gAccessMask     Access Permissions'*              gAceType        ACE Types'*              gAceFlags       Inherit ACEs from the owner of the ACL'*              gFlags          ACE has an object type or inherited object type'*              gObjectType     Used for Extended Rights'*              gInheritedObjectType'*'* Output:  Object - New DACL with the ACE added'*'********************************************************************Function AddAce(dacl, TrusteeName, gAccessMask, gAceType, gAceFlags, gFlags, gObjectType, gInheritedObjectType)' Bubble Error to Calling Function'On Error Resume Next    Dim Ace1    ' Add new ACE.    Set Ace1 = CreateObject("AccessControlEntry")    Ace1.AccessMask = gAccessMask    Ace1.AceType = gAceType    Ace1.AceFlags = gAceFlags    Ace1.Flags = gFlags    Ace1.Trustee = TrusteeName    'Determine whether ObjectType has to be set    If CStr(gObjectType) <> "0" Then       Ace1.ObjectType = gObjectType    End If    'Determine whether InheritedObjectType has to be set.    If CStr(gInheritedObjectType) <> "0" Then        Ace1.InheritedObjectType = gInheritedObjectType    End If    dacl.AddAce Ace1    ' Kill objects.    Set Ace1 = NothingEnd Function'********************************************************************'*'* Function ReorderACL(objDACL)'*'* Purpose: Reorders a DACL properly'* Input:       objDACL                     Access Control List (Object)'*'* Output:  Object - Reordered DACL'*'********************************************************************Function ReorderACL(objDACL, bMakeExplicit)    ' Dim objects.    Dim ImpDenyDacl, ImpDenyObjectDacl, InheritedDacl, ImpAllowDacl, ImpAllowObjectDacl    Dim objSD, newDACL    ' Dim other variables.    Dim ace        ' Set constants.    Const ADS_ACEFLAG_INHERITED_ACE = &H10    Const ADS_ACETYPE_ACCESS_ALLOWED = &H0    Const ADS_ACETYPE_ACCESS_DENIED = &H1    Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5    Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6        ' Create the new DACL.    Set objSD = CreateObject("SecurityDescriptor")        ' Create the ACL objects.    Set newDACL = CreateObject("AccessControlList")    Set ImpDenyDacl = CreateObject("AccessControlList")    Set ImpDenyObjectDacl = CreateObject("AccessControlList")    Set InheritedDacl = CreateObject("AccessControlList")    Set ImpAllowDacl = CreateObject("AccessControlList")    Set ImpAllowObjectDacl = CreateObject("AccessControlList")    ' Loop through the original DACL.    For Each ace In objDACL    If bMakeExplicit Then         If ((ace.AceFlags And ADS_ACEFLAG_INHERITED_ACE) = ADS_ACEFLAG_INHERITED_ACE) Then            ace.AceFlags = ace.AceFlags Xor ADS_ACEFLAG_INHERITED_ACE        End If   Else     ' The order of inherited ACEs does not matter.  Because you are     ' adding them to the top of a new list, when they are added back     ' to the DACL for the object, they will be in the same order as      ' originally.  This is a positive side affect of addin items or a LIFO     ' (Last In First Out) type list'     InheritedDacl.AddAce ace   End If     ' You have an implicit ACE; it belongs in the correct pool.     Select Case ace.AceType         Case ADS_ACETYPE_ACCESS_ALLOWED             ImpAllowDacl.AddAce ace         Case ADS_ACETYPE_ACCESS_DENIED             ImpDenyDacl.AddAce ace         Case ADS_ACETYPE_ACCESS_ALLOWED_OBJECT             ImpAllowObjectDacl.AddAce ace         Case ADS_ACETYPE_ACCESS_DENIED_OBJECT             ImpDenyObjectDacl.AddAce ace         Case Else            'Bad Ace, but let's just leave it out for now.      End Select   Next    '    ' Combine the ACEs in the proper order.    '   Implicit Deny    '   Implicit Deny Object    '   Implicit Allow    '   Implicit Allow Object    '   Inherited ACEs    '    ' Implicit Deny    For Each ace In ImpDenyDacl       newDACL.AddAce ace    Next        ' Implicit deny object.    For Each ace In ImpDenyObjectDacl       newDACL.AddAce ace    Next        ' Implicit allow.    For Each ace In ImpAllowDacl       newDACL.AddAce ace    Next        ' Implicit allow object.    For Each ace In ImpAllowObjectDacl       newDACL.AddAce ace    Next    ' Inherited ACEs.    For Each ace In InheritedDacl       newDACL.AddAce ace    Next        'Set the Appropriate revision level for the DACL.    newDACL.AclRevision = objDACL.AclRevision    ' Return properly ordered DACL.    Set ReorderACL = newDACL        ' Kill objects.    Set newDACL = Nothing    Set InheritedDacl = Nothing    Set ImpAllowObjectDacl = Nothing    Set ImpAllowDacl = Nothing    Set ImpDenyObjectDacl = Nothing    Set ImpDenyDacl = Nothing    Set objSD = NothingEnd FunctionPrivate Sub Command1_Click()Dim objUser As IADsUserDim oSID As New ADsSIDDim RawSIDDim oSecurityDescriptor As New SecurityDescriptorDim dacl As New AccessControlListDim ace As New AccessControlEntry' You have to change these variables according to your environment.' This is the external account.sWinNTPath_Ext_Account = "WinNT://NTDomainName/NTDomainUser"<BR/>' This is the external account.sAssocNTAccount = "NTDomainName\NTDomainUser"' This is the Windows 2000 mailbox-enabled object (Exchange mailbox).sEx2kMbxPath = "LDAP://Win2KDC/CN=testarticle,cn=users,DC=MyWin2KDomain,DC=com"' Get directory user object.Set objUser = GetObject(sEx2kMbxPath)' User ADsSecurity.dll to determine the user's SID from the NT domain.oSID.SetAs ADS_SID_WINNT_PATH, sWinNTPath_Ext_AccountRawSID = oSID.GetAs(ADS_SID_RAWSTRING)' Set msExchMasterAccountSID.' This is the same task that is performed by ADUnC when checking the "Associated External Account" check box.' Under the Mailbox Rights in the Exchange Advanced tab on the properties of a user.objUser.Put "msExchMasterAccountSID", RawSIDobjUser.SetInfoSet oSecurityDescriptor = objUser.MailboxRightsOn Error Resume NextSet oSecurityDescriptor = objUser.Get("msExchMailboxSecurityDescriptor")If (Err) ThenDebug.Print "The msExchMailboxSecurityDescriptor attribute is empty."Debug.Print "Hence this user's mailbox does not have any mailbox rights set on it."Debug.Print "Error (" & Err.Number & "): " & Err.DescriptionExit SubEnd If' Extract the discretionary access control list (ACL) using the IADsSecurityDescriptor interface.Set dacl = oSecurityDescriptor.DiscretionaryAclDebug.Print "Here are the existing ACEs the mailbox's DACL - "' Enumerate all the access control entries (ACEs) in the ACL using the IADsAccessControlList interface.' Hence displaying the current mailbox rights.For Each ace In dacl' Display all the ACEs' properties using the IADsAccessControlEntry interface.Debug.Print ace.Trustee & ", " & ace.AccessMask & ", " & ace.AceType & ", " & ace.AceFlags & ", " & ace.Flags & ", " & ace.ObjectType & ", " & ace.InheritedObjectTypeNext' Adding a new ACE for Full Control to allow "Full Control" for the external account over this mailbox.' This is the same task that is performed by ADUnC when checking the "Full Control" Rights check box.' Under the Mailbox Rights in the Exchange Advanced tab on the properties of a user.AddAce dacl, sAssocNTAccount, (ADS_RIGHT_DELETE + ADS_RIGHT_ACTRL_DS_LIST + ADS_RIGHT_DS_CREATE_CHILD + ADS_RIGHT_READ), _ADS_ACETYPE_ACCESS_ALLOWED, ADS_ACEFLAG_INHERITED_ACE, 0, 0, 0' Reorder ACEs in the DACL.Set dacl = ReorderACL(dacl, True)' Add new DACL to the Security Descriptor.oSecurityDescriptor.DiscretionaryAcl = dacl' Save new SD onto the user.objUser.MailboxRights = Array(oSecurityDescriptor)objUser.SetInfoMsgBox "Done"End Sub				
For more information about how to do this by using the Exchange System Manager, click the following article number to view the article in the Microsoft Knowledge Base:
278888 How to associate an Exchange 2000 mailbox or an Exchange 2003 mailbox with a Windows NT 4.0 account

Article ID: 322890 - Last Review: 06/19/2014 14:48:00 - Revision: 7.0

  • kbdswadsi2003swept kbhowtomaster KB322890