RE: [ActiveDir] MailBox permissioning

[Alain Lissoir]

You can download a script doing the job from http://users.skynet.be/garbage/CreateExchangeMBInMultiForest.zip   C:\>CreateMB.wsf Microsoft (R) Windows Script Host Version 5.6 Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.   Usage: CreateMB.wsf /AcctSRV:value /ExSRV:value [/UserID:value]   Options:   AcctSRV : Specifies the FQDN of a GC in the Account Forest. ExSRV   : Specifies the non-FQDN of an Exchange server in the Exchange Forest. UserID  : Sepcifies the existing account UserID in the Account Forest. Examples:         CreateMB.wsf /AcctSRV:MyDC.MyAccountDomain.Com /ExSRV:MyExchangeSRV /UserID:James.Bond   The script is a little bit complicated but it provides the most granular approach to understand how to customize attributes. It makes use of ADSI to create an Exchange Server 2000/2003 mailbox in this context. The script must be run in the Exchange Forest and seeks the necessary information in the Account Forest. Although Microsoft does not officially support the exclusive use of ADSI to create an Exchange Server 2000/2003 mailbox, this discovery will be of great value to set up tools synchronization tools as most work on low level attributes settings and mapping techniques. The script touches a list of attributes documented in a white paper listed at http://www.lissware.net, "The powerful combination of WSH and ADSI under Windows 2000".   When working in a Multi-Forest context, some attributes with Exchange Server 2000/2003 Active Directory schema extensions take on a particular meaning or configuration. There are three important attributes used in this context: The msExchUserAccountControl Attribute The msExchUserAccountControl mirrors the account status stored in the userAccountControl attribute. The userAccountControl attribute controls the disabled/enabled state of the user account. When the user is enabled, bit 1 of the userAccountControl attribute is set to 0 and the msExchUserAccountControl attribute is set to 0. When the user account is disabled, bit 1 of the userAccountControl attribute is set to 1 and the msExchUserAccountControl attribute is set to 2. When the msExchUserAccountControl attribute is set to 2, it tells the Exchange store to perform a logon for the associated external user account. The msExchMasterAccountSID Attribute The msExchMasterAccountSID attribute is set in two circumstances:   - When the ADC creates a Windows 2000 user account from an Exchange 5.5 mailbox, the Primary NT account SID set on the Exchange 5.5 mailbox is copied to the msExchMasterAccountSID attribute.   - When an external account is associated with an Exchange Server 2000/2003 mailbox, the msExchMasterAccountSID attribute is set with the SID of the associated external user account. The SID contained in the objectSID attribute of the user account in the Account Forest is set to the msExchMasterAccountSID attribute of the mailbox-enabled disabled user account in the Exchange Forest. This configuration is required to ensure that the Exchange Server 2000/2003 mailbox is accessible to accounts located in the Account Forest. The msExchMailboxSecurityDescriptor Attribute Mailbox security is defined in the msExchMailboxSecurityDescriptor Active Directory attribute. However, the msExchMailboxSecurityDescriptor attribute is not the real security descriptor for the Exchange Server 2000/2003 mailbox; this descriptor is stored in the Exchange Store. The msExchMailboxSecurityDescriptor attribute is just a shadow of that security descriptor. This behavior is particularly important when one wants to update the security of an Exchange Server 2000/2003 mailbox. Refer to http://www.exchangeadmin.com/Articles/Index.cfm?ArticleID=38190 (complete list at http://www.lissware.net), Exchange Server 2000 SP2 CDOEXM Updates for more information about the particularities of the Exchange Server 2000/2003 mailbox security descriptor and how it should be updated. Granting an associated external user account on the Exchange Server 2000/2003 mailbox modifies the security descriptor by adding an Access Control Entry (ACE) to the Discretionary Access List (ACL) of the descriptor. Only one associated external user account can be granted on a mailbox.   Outlook and the GAL   The Account Forest holds accounts without any particular information related to Exchange Server 2000/2003. In such a case, it is very important that Outlook clients access GCs that are part of the Exchange Forest in order to use a populated GAL. Exchange Server 2000/2003 specifies the GC location via the DSProxy component. The Outlook MAPI client saves the GC referral received by Exchange Server 2000/2003 to the following registry key:   HKEY_CURRENT_USER\Software\Microsoft\Windows NT\ CurrentVersion\Windows Messaging Subsystem\Profiles\ <Profile Name>\dca740c8c042101ab4b908002b2fe182 Value name: 001e6602 Value type: STRING Value data: <FQDN of the GC>   http://support.microsoft.com/default.aspx?scid=kb;en-us;272290   HTH /Alain   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Thursday, August 11, 2005 4:00 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] MailBox permissioning Hi Gurus,   I have a scenario where I have users and mail boxes created on exchange server on one domain. Now I have another set of users in a different domain, who should be able to use these mail boxes, and should have permissions over it.   Eg. User A is in retail domain. Correspondingly user A is created in exchange domain with a mailbox. I want to now have the permissions set so as to make the user A in the retail domain use this mailbox. What attributes should I set on the user side or the mailbox side to do this?   I’ll be doing this permissioning using a meta directory server.   Thanks, Mayuresh.