|
It isn't a choice, you need to set the MAS and the AEA and
FC ACEs in the mailbox ACL.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Fontana Sent: Wednesday, June 08, 2005 12:39 PM To: [email protected] Subject: RE: [ActiveDir] Exchange and disabling accounts Well, from my
understanding you have a choice of either giving SELF the associate external
account permission or changing it via ldif import to:
AQEAAAAAAAUKAAAA I currently run a
script I wrote to find these accounts and change the attribute every few
weeks� I�ll get these guys to use my termination methods soon enough
;-) From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of TIROA
YANN Hello; Endeed, i use admodify for 1
year because it's a great tool that feet all my needs without having much
knowledge in dev..... like me :) AD 2003 has this option of bulk
modify objects attributes but it's a bit limitated. Alex: joe stated that you have to
set associated external account and the msExchangeMasterAccountSid
attribute to self. I think that admodcmd -dn "john doe" -s -grantselfaea is for
"associated external
account" and admodcmd
-dn �john doe� -s -grantselffullandread is to give Grants Full Mailbox Access
and Read to SELF. But what about setting
the
msExchangeMasterAccountSid attribute to self ? Is it the
-grantselffullandread
switch ? Regards, Yann De :
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
De la part de Alex I wrote a batch file
used during terminations that included granting the SELF account the associate
external account permission. I used a tool called admodcmd. I
believe this is the site: http://blogs.technet.com/exchange/archive/2004/08/20/208045.aspx admodcmd -dn �john doe�
-s -grantselffullandread admodcmd -dn "john doe"
-s -grantselfaea -Alex From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Jorge de Almeida
Pinto Hi
Everyone, After
users (with mailboxes) leave the organization their user accounts are disabled
for an amount of time and after that they are
deleted. When a
account is disabled the attribute msExchUserAccountControl is set to 2. This
tells exchange to look at the attribute msExchMasterAccountSid for
permissioning. However when disabling a user account, exchange starts
complaining with event ID 9548 (and source = MSExchangeIS) if the user account
is used in some ACL within exchange. This happens because the attribute
msExchMasterAccountSid is empty and is not automatically populated when
disabling the account. The solution to this is to at least have one account on
the exchange security descriptor of the mailbox of the disabled user account
with the permission "Associated External Account" and if no account has this
permission on the mailbox (which is default) the solution is to at least at SELF
with the permission "Associated External Account" through the GUI of ADUC. This
mentioned in Q328880. I would
like to do this with ADMOD (automation) because several accounts exist in the
domain that have been disabled at once. So exchange is screeming in the event
logs. For one
account the syntax is: For
multiple accounts the syntax is: In this
case: I don't
want to replace the DACL, I just want to add an ACE for SELF with the
permissions mentioned to the ACL in the DACL. Does
anyone know how to do this with ADMOD and how to specify <ACE> in this
case? Thanks!
This e-mail and any
attachment is for authorised use by the intended recipient(s) only. It may
contain proprietary material, confidential information and/or be subject to
legal privilege. It should not be copied, disclosed to, retained or used by, any
other party. If you are not an intended recipient then please promptly delete
this e-mail and any attachment and all copies and inform the sender. Thank
you. |
Title: Exchange and disabling accounts
