To resolve this problem, you must use the Active Directory Users and Computers MMC snap-in to
clear the
Associated external account attribute from the mailbox. Clearing the
Associated external account attribute causes the
msExchMasterAccountSID attribute to clear.
Use the Active Directory Users and Computers snap-in to clear the Associated External Account attribute
- Click Start, point to
Programs, point to Administrative Tools, and
then click Active Directory Users and Computers.
- Click View, and then make sure that there
is a check mark in the Advanced Features check box. If the Advanced Features check box is not selected, click Advanced Features.
Note A check mark in the Advanced Features box means that this feature
is turned on. - In the folder tree, click
Users.
- In the right pane, find the user account that you want to
change, and then click Properties.
- Click the Exchange Advanced tab, and then
click Mailbox Rights.
- Under Name, view each entry. Find the
account that has the Allow check box selected for
the Associated external account check box, and then click to clear the
Allow check box.
How to clear the msExchMasterAccountSID attribute for lots of enabled user accounts
To clear the
msExchMasterAccountSID attribute for lots of enabled user accounts, you can use the Collaboration Data Objects for Exchange Management (CDOEXM) interface to modify the mailbox security descriptor. Starting with Microsoft Exchange 2000 Server Service Pack 2 (SP2), a new interface is made available in CDOEXM. This interface is named MailboxRights. This exposure lets you modify the mailbox security descriptor programmatically.
For more information about how to script a bulk change of the msExchMasterAccountSid attribute, click the following article number to view the article in the Microsoft Knowledge Base:
322890�
How to associate an external account with an existing Exchange 2000 mailbox
For additional methods that you can use to remove the
msExchMasterAccountSid attribute for lots of enabled user accounts, contact Microsoft Product Support Services. For more information about the support options that are available from Microsoft, visit the following Microsoft Web site:
To determine how many enabled user accounts have a value set on the
msExchMasterAccountSid attribute, you can generate an LDIF formatting export file. To do this, run the following Ldifde.exe command:
ldifde -f file.txt -d "dc=domain,dc=com" -l nothing -r "(&(objectcategory=person)(objectclass=user)(msexchuseraccountcontrol=0)((msexchmasteraccountsid=*)))"
The following list describes the Ldifde parameters:
- -f: This switch indicates the export destination file.
- -d: This switch indicates the Microsoft Windows domain from which to export user objects. For example, if the Active Directory Users and Computers management console for the domain lists the domain as corp.company.com, it would become "dc=corp,dc=company,dc=com".
- -l: This switch, if it is used, restricts output to the export file of only the attributes enumerated by the switch. In this case, the non-existent attribute nothing is used so that only object names, not attributes, are generated.
- -r: This switch indicates the LDAP search filter by using the standard LDAP query syntax. You can also use this search string with Ldp.exe and other LDAP tools. In this case, the search is for all user objects that are enabled (msExchMasterAccountControl value of 0) and that have a value set for the msExchMasterAccountSID attribute.
The following text is an example of the output file:
dn: CN=AAA R1,OU=Recipients,DC=domain,DC=com
changetype: add
dn: CN=AAA R2,OU=Recipients,DC=domain,DC=com
changetype: add
. . . . .
For more information about how to use Ldifde in Active Directory, click the following article number to view the article in the Microsoft Knowledge Base:
237677�
Using LDIFDE to Import and Export Directory Objects to Active Directory
Note We do not recommend that you use the LDIFDE command-line utility or the ADSIEDIT or LDP tools to create, to modify, or to delete the
msExchMasterAccountSid attribute.