A migrated mailbox cannot send on behalf of Exchange Server 5.5 mailboxes in Exchange 2000 Server and in Exchange Server 2003

You migrate a mailbox from Microsoft Exchange Server 5.5 to Microsoft Exchange 2000 Server or to Microsoft Exchange Server 2003. After you do this, that mailbox cannot send on behalf of Exchange Server 5.5 mailboxes.

This issue occurs because Exchange Server 5.5 uses the Exchange Server 5.5 object distinguished name to determine permissions on Exchange Server 5.5 objects. Therefore, the access control list uses the Exchange Server 5.5 object distinguished name as the access control entry for assigned rights when you grant or delegate mailbox access to another account. Exchange Server 5.5 does not use security descriptors (NT Account SIDS) as the access control entry for delegated rights on mailboxes, or as the access control entry for public folders.

After you migrate an Exchange Server 5.5 mailbox to a server that is running a later version of Exchange Server, the user account passes its ObjectSID in the access token to Exchange Server 5.5. The user account does this when the user tries to access a public folder or to use a delegated right on an Exchange Server mailbox. Because Exchange Server 5.5 uses the Exchange Server 5.5 object distinguished name to determine permissions on Exchange Server 5.5 objects, the operation fails.

To work around this issue, migrate the shared mailbox and the mailboxes that have delegated rights at the same time to the server that is running Exchange 2000 Server or Exchange Server 2003. Alternatively, migrate the shared mailbox to the Exchange 2000 Server server or the Exchange Server 2003 server first. Then, move the mailboxes that have delegated rights.

This issue does not occur when Exchange Server 5.5 mailboxes send on behalf of Exchange 2000 Server or Exchange Server 2003 mailboxes. Exchange 2000 Server and Exchange Server 2003 recognize the object distinguished name.

In Exchange 2000 Server and in Exchange Server 2003, the object distinguished name is referred to as the LegacyExchangeDN. Exchange Server queries the Active Directory directory service for the LegacyExchangeDN to determine what the ObjectSID of that account is. Exchange Server then passes the ObjectSID to the mailbox discretionary access control list. If the ObjectSID is listed, it is granted the appropriate access or rights.

For more information about how to migrate mailboxes from Exchange Server 5.5, visit the following Microsoft Web sites: For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base: