Wow! All these years I've been working with Exchange and I didn't know about that attribute. I'd worked with header.exe before but I'm sure the default mailbox attributes did not include this one. Thanks guys. I have already started an export and will look at testing the import. I already have a process in place for the rest of the clean up stuff this was my only sticking point :-)
Jacqui
Actually, yes you can unless I totally misunderstood your requirement.
To be sure, I think you're saying you want to remove the primary windows nt account value and replace it with a user representative but you want to allow the existing value represented to continue to have access to the mailboxes. You don't need to get granular and grant/revoke access at
the folder level.
If that's correct, then what Tony was talking about has worked for me in the past. I've used it in migration scenarios vs. just cleanup. i.e. migrating from domain1 to newDomain and want to let newDomain users have access to their mailboxes as if nothing happened. Solution: using import/export move the existing value to the obj-User field and replace the primary-Windows-NT value with newDomain\user value.
In your case, you just need to identify which ones are groups vs. user accounts (looping through the spreadsheet and figure out which are groups and which are not might be one way to do this). To identify which are shared accounts you must have some other sort of knowledge because to the system a shared account (account where more than one wetware element knows the credentials) is the same as one security principal-one wetware element.
Developing
anything against 5.5 is a dead-end scenario that has a limited return on your time and resources invested. Might be fun, but I think if you write a lot of code for this one time use, it might not be an equitable transaction.
Al
On 2/13/06, Jacqui Hurst <[EMAIL PROTECTED]> wrote:
I am working on directory cleanup activities for the existing Exchange 5.5 directory. Where accounts are sharing an NT account or using a group I would like to replace the primary NT account with an unique account and update the additional permissions to include the account that was previously the primary NT account (so still allowing access to the mailbox).Most of the cleanup activities have used imports and exports but as you can imagine I can't acheive permissions update using this method. I found some VB code which I beleive is meant to do this but this just doesn't appear to be working. An other methods of achieving the same goals would be appreciated.Cheers.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tony Murray
Sent: 12 February 2006 09:22
To: [email protected]
Subject: [Norton AntiSpam] RE: [ActiveDir] OT: ADSI and Exchange 5.5As Al indicates, there may be other methods. One option could be to look at directory export/import to achieve what you want.Header.exe facilitates the creation of an export CSV template with additional fields, including Primary Windows NT Account and Obj-User (which shows those accounts with "User" role on the mailbox). You can also find accounts with delegate permissions on a mailbox by including public-delegates and public-delegates-bl in the CSV template.You can download header.exe here:Tony
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al Mulnick
Sent: Sunday, 12 February 2006 12:26 p.m.
To: [email protected]
Subject: Re: [ActiveDir] OT: ADSI and Exchange 5.5This would be a great time to ask: when you say "update Permissions on Exchange 5.5 mailboxes" what are you trying to accomplish exactly? It may be possible that what you want to do is possible with some other method.Al
On 2/11/06, joe < [EMAIL PROTECTED]> wrote:I don't think so. Here are the reasons.o Exchange 5.5 ACLing isn't based on SIDs which is what ADSI perm mods work with (including ADsSecurity.dll).o I don't see MS doing ANYTHING to support 5.5, heck it is near impossible to get a change for Exchange Server 2003 at this point.--O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Jacqui Hurst
Sent: Friday, February 10, 2006 6:56 AM
To: [email protected]
Subject: [ActiveDir] OT: ADSI and Exchange 5.5
Can anyone advise me if there has been a change in the ADSI that now allows the ACL of an Exchange 5.5 mailbox to be manipulated? I have some sample VB code from the ADSI 2.0 SDK that appears to offer the ability but as yet I cannot get this to work. I have found articles on the MS web site that say it is not possible with code other than C or C++ (detailed in the Exchange 5.5 SDK).If it is possible where am I going wrong?I have an XP client with the ADSI resource kit installed (including ADsSecurity.dll)I have installed ADSI 2.5 on my Exchange 5.5 server (not sure if this was required)I have imported the code into Visual Basic 2005 Express edition and complied it (Build Security)The code builds but when I run it against my environment I get an MS error to be sent to Microsoft.Has anyone any advise on code I can use to update Permissions on Exchange 5.5 mailboxes?As you can gather I'm not a born coder, I dabble when I have to JRegards,Jacqui
