Hi Tom, When using the Associated External Account (AEA) in an account forest and resource forest scenario the account in the resource forest that is mailbox enabled is AD disabled and the account in the account forest is assigned the AEA right on the mailbox. This automagically puts the SID of the account in the account forest in the attribute called "msExchMasterAccountSID" of the account in the resource forest. When an account is AD disabled and mailbox enabled the attribute called "msExchUserAccountControl" will be set to 2. This tells Exchange to use the SID in the attribute called "msExchMasterAccountSID" instead of the objectSID (or sidhistory) of the account in the resource forest (the account that is AD disabled but mailbox enabled) So if you have a single forest with AD enabled accounts that are mailbox enabled you MUST assign SELF the AEA right after AD disabling the mailbox enabled account. If you do not Exchange does not know what SID to use for delegations, you cannot logon to the mailbox, you cannot move it, mail for the mailbox will generate an NDR, etc. This is because Exchange sees that the attribute called "msExchMasterAccountSID" is set to 2 and the attribute called "msExchMasterAccountSID" has no SID in it. In this situation Exchange also logs errors (event id 9548) in the event log stating the problem and how to solve it. A tool that can be used to set the AEA right to SELF for setting numerous accounts is ADmodify.NET (http://www.gotdotnet.com/workspaces/workspace.aspx?id=f5cbbfa9-e46b-4a7a-8ed8-3e44523f32e2) Some information about it can be found in http://support.microsoft.com/?id=278966 http://www.petri.co.il/nomas_tool.htm Does this answer your question? Cheers Jorge
________________________________ From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Thu 9/8/2005 3:22 AM To: activedirectory Subject: [ActiveDir] Associated External Account right ok. i understand this right when used with a resource forest but i have no idea why you need to give this right to Self on top of Full Control to allow access to a mbox of a disabled user? shouldn't FC be enough? Also, are these the only 2 cases where this right is ever needed? thanks!! This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
<<inline: winmail.dat>>
