RE: [ActiveDir] OT: Exchange alternate email address

Tue, 04 Oct 2005 17:52:11 -0700

Hi Scott
 
Jorge provided a very good explanation to this a few weeks back (see attached).
 
Tony

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott
Sent: Wednesday, 5 October 2005 12:52 p.m.
To: [email protected]
Subject: RE: [ActiveDir] OT: Exchange alternate email address

Anybody care to explain why this needs to be set? I realize it does, but I just don’t understand what function it serves in preventing the event log errors.  Also, why can’t it be set on a non-disabled accout?

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, October 04, 2005 6:06 PM
To: [email protected]
Subject: RE: [ActiveDir] OT: Exchange alternate email address

 

One small thing, if the account is disabled, set the associated external account, if the account isn't disabled, don't set it. Also if it is disabled and you set the associated external account, verify that msExchMasterAccountSid gets populated with the SELF SID.

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Monday, October 03, 2005 4:58 PM
To: [email protected]
Subject: RE: [ActiveDir] OT: Exchange alternate email address

If I understand this correctly, You have Jane Doe ([EMAIL PROTECTED]), and she would like to send mail as suzy que ([EMAIL PROTECTED]).

 

In order to do this, you actually need to create an additional account and mailbox for Suzy Que. You can disable this account, though.

 

Once the account is created and the RUS has whacked it (e.g. it has an email address), go in the Exchange Advanced tab in ADUC for suzy que, and then into mailbox rights. You want to do two things:

 

Add Jane Doe on there and give her rights to Send As

 

In the SELF entry, tick full mailbox access and associated external account.

 

Thanks,
Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

 

 

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, October 03, 2005 10:40 AM
To: [email protected]
Subject: [ActiveDir] OT: Exchange alternate email address

Hi, all. Quick question for you:

 

I have a user who wishes to send/receive email as a different address than her own.

 

We use Exchange 2003 and Outlook 2003. I am just inquiring as to the ‘best practice’ for accomplishing this.

 

Thanks in advance,

James

This communication, including any attachments, is confidential.
If you are not the intended recipient, you should not read it -
please contact me immediately, destroy it, and do not copy or 
use any part of this communication or disclose anything about it.
Thank You.


Please note that this communication does not designate an information system for the purposes of the NZ Electronic Transactions Act 2002..

This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i

--- Begin Message ---
Hi Tom,
 
When using the Associated External Account (AEA) in an account forest and resource forest scenario the account in the resource forest that is mailbox enabled is AD disabled and the account in the account forest is assigned the AEA right on the mailbox. This automagically puts the SID of the account in the account forest in the attribute called "msExchMasterAccountSID" of the account in the resource forest. When an account is AD disabled and mailbox enabled the attribute called "msExchUserAccountControl" will be set to 2. This tells Exchange to use the SID in the attribute called "msExchMasterAccountSID" instead of the objectSID (or sidhistory) of the account in the resource forest (the account that is AD disabled but mailbox enabled)
 
So if you have a single forest with AD enabled accounts that are mailbox enabled you MUST assign SELF the AEA right after AD disabling the mailbox enabled account. If you do not Exchange does not know what SID to use for delegations, you cannot logon to the mailbox, you cannot move it, mail for the mailbox will generate an NDR, etc. This is because Exchange sees that the attribute called "msExchMasterAccountSID" is set to 2 and the attribute called "msExchMasterAccountSID" has no SID in it. In this situation Exchange also logs errors (event id 9548) in the event log stating the problem and how to solve it.
 
A tool that can be used to set the AEA right to SELF for setting numerous accounts is ADmodify.NET (http://www.gotdotnet.com/workspaces/workspace.aspx?id=f5cbbfa9-e46b-4a7a-8ed8-3e44523f32e2)
 
Some information about it can be found in
 
Does this answer your question?
 
Cheers
Jorge
 

From: [EMAIL PROTECTED] on behalf of Tom Kern
Sent: Thu 9/8/2005 3:22 AM
To: activedirectory
Subject: [ActiveDir] Associated External Account right

ok. i understand this right when used with a resource forest but i have no idea why you need to give this right to Self on top of Full Control to allow access to a mbox of a disabled user?
 
shouldn't FC be enough?
 
 
Also, are these the only 2 cases where this right is ever needed?
 
 
thanks!!

;Arial;


This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i Limited


This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.

############################################################################
This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i Limited
############################################################################


--- End Message ---

Reply via email to