|
The Exchange developers decided to define a mailbox enabled
but Windows disabled account as a resource mailbox meaning a mailbox that is
linked to another account. This case is an exellent example of a resource
mailbox, a mailbox that is linked to a user object where the user object isn't
really used.
If a user object with a mailbox connected to it is
disabled, Exchange treats the account differently and part of that requires that
the master account SID is set to link it to an account for security enumeration.
Failure to do so, can cause several issues including the dreaded 9548 error
which you will often hear isn't so bad but in large quantities can completely
hang your store up. I have seen several examples of it. Just in case anyone
isn't completely understanding of this, 9548s are bad, 9548s are bad, 9548s are
bad.
As for it being set on accounts that aren't disabled, I
don't know of issues off hand but MS specifically states it shouldn't be
set in that case and my experiences with bad data in AD related to Exchange is
such that I won't question it.
Where this really comes into play are companies that decide
they don't want to delete accounts but instead want to disable them for x days.
The next logical thing is to not delete the mailbox either, that way you don't
have to worry about retention policy and you can still easily move mailboxes
between servers as needed. So the process is to disable a mailbox
enabled userid. This is ok and you can do it, but hardly anyone does it
properly. Anyone who has to run nomas to clean up is not properly deprovisioning
the user objects. They are putting garbage in and then going back and cleaning
it up, best to just avoid setting garbage in the first place. The proper way is
documented in a couple of KBs, but basically it is setting the values we have
discussed.
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott Sent: Tuesday, October 04, 2005 7:52 PM To: [email protected] Subject: RE: [ActiveDir] OT: Exchange alternate email address Anybody care to explain
why this needs to be set? I realize it does, but I just don’t understand what
function it serves in preventing the event log errors. Also, why can’t it
be set on a non-disabled accout? From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of joe One small thing, if the
account is disabled, set the associated external account, if the account isn't
disabled, don't set it. Also if it is disabled and you set the associated
external account, verify that msExchMasterAccountSid gets populated with
the SELF SID. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Brian
Desmond If I
understand this correctly, You have Jane Doe ([EMAIL PROTECTED]), and she would like
to send mail as suzy que ([EMAIL PROTECTED]). In order to
do this, you actually need to create an additional account and mailbox for Suzy
Que. You can disable this account,
though. Once the
account is created and the RUS has whacked it (e.g. it has an email address), go
in the Exchange Advanced tab in ADUC for suzy que, and then into mailbox rights.
You want to do two things: Add Jane Doe
on there and give her rights to Send
As In the SELF
entry, tick full mailbox access and associated external account.
Thanks, c -
312.731.3132 From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of
[EMAIL PROTECTED] Hi, all. Quick question
for you: I have a user who
wishes to send/receive email as a different address than her own.
We use Exchange 2003
and Outlook 2003. I am just inquiring as to the ‘best practice’ for
accomplishing this. Thanks in
advance, James
|
- RE: [ActiveDir] OT: Exchange alternate email address joe
