Windows LiveWindows Live
 
 
Jorma Bergius's profileAbout ExchangeBlogLists Tools Help

Blog
    April 23

    Product releases

    Several good tools have been released or updated recently!
     
    - Exchange Best Practices Analyzer 2.6: www.exbpa.com
     
    Windows Vista Build 5365 was released yesterday to Beta Testers. This is said to be the last build available for beta testing before Beta 2 which should be available in May 2006. When I get this build installed, I hope to write something about it. Until then...
    1:41 AM | Add a comment | Read comments (1) | Permalink | Blog it

    Event 9548, disabled mailboxes and other stuff

    Two questions I am asked over and over again by my consultation customers are:
     
    - Can a disabled mailbox (a disabled mailbox enabled user) receive mail and otherwise function normally as a mailbox?
    - Why is the Application log of my Exchange server filled with events with ID 9548 stating that a disabled user does not have a master account SID?
     
    Even though it might sound that these questions have nothing to do with each other, they actually do. They both depend on the way that Exchange 2000/2003 handles disabled user accounts. But to get a better understanding, let me explain in a little more detail.
     
    When you disable a user account that is mail enabled (owns a mailbox), Exchange assumes that an Active Directory attribute called msExchMasterAccountSid is set on the user object. Usually msExchMasterAccountSid does not have a value, as a value will only be set on the attribute when you define either another account (from different forest) or the self identity as the Associated External Account in mailbox rights. If a disabled user object owns a mailbox and msExchMasterAccountSid is not set, you will get the Event 9548 problem of the second question and you will probably also run into problems referring question one (mail may not be delivered to mailbox accordinly) as stated in KB article 319047 (http://support.microsoft.com/kb/319047/en-us).
     
    What is the msExchageMasterAccountSid-attribute and why do I need it?
     
    Disabled user accounts that own a mailbox are most commonly used during migrations. When a migration is done between two Active Directory forests (and two Exchange organizations) it is not uncommon that Exchange Services move to the new domain environment beforehand, but users still log on to the old forest for quite a while. In this kind of scenario users have two user objects, one that they use to log on in the old forest (enabled) and one that represents their mailbox in the new domain (disabled). If you think this scenario from a permissions point of view, if an Exchange user grants another user permissions to his/her calendar (or any folder in the mailbox for that matter), permissions should be granted to the account used for logon for access control to work as expected. The question is, how do I specify in Outlook to which user account permissions are granted? And the answer is, you can't, you always delegate permissions to recipient objects (Exchange/Windows just converts the permissions to user/group SIDs behind the scenes). This is where msExchMasterAccountSid comes into play. If it has a value and the user account with the mailbox is disabled, all permissions are automatically defined to the "logon account" (in other words the SID referred to in the msExchangeMasterAccountSID-attrbute value and as the associated external account).
     
    Why is it such a big deal?
     
    If msExchangeMasterAccountSid is not populated accordingly for disabled user accounts that have mailboxes, you run into various issues with permissions at the mailbox level. Delegates do not work as expected, you may not be able to post/read information from public folders and you might even be unable to receive mail to the mailbox in question (as stated earlier in this post). So to answer the first question, a disabled mailbox enabled user can receive mail just fine, as long as you make sure that msExchMasterAccountSid is set as expected.
     
    There are several KB articles that discuss the problems mentioned: 247173, 278966, 300456 and 812276 to name a few.
     
    How do I fix the situation?
     
    If you are experiencing the kind of symptoms mentioned in this article, usually the cure is to define correct values to the msExchMasterAccountSid-attributes. To start off, run a LDAP query to your AD contents to find the recipients with missing attribute values (query string (&(objectclass=user)(objectcategory=person)(mailnickname=*)(!msExchMasterAccountSid=*)) will provide you with the list, note however that it does not make any difference between enabled/disabled users). Then use a tool called NoMas (you can get the tool through PSS), it will assist you by making the necessary changes to user object attributes. You can of course do this by hand as well, just define the correct account as the associated external account in the Mailbox Rights of the corresponding disabled mailbox enabled user object (ADUC - User Object - Exchange Advanced - Mailbox Rights).
     
    For more information about the NoMas-tool, refer to msexchange.org (http://www.msexchange.org/articles/NoMAS-Tool.html)
     
    Hotfix 903158 / 916783
     
    During March of 2006, Microsoft released a hotfix for Exchange Store that changes the funcionality a little bit. Event 9548 will not be raised for disabled mailbox enabled user objects if msExchMasterAccountSid is not explicitly required. If you are currently struggling with the second question we started off from, because you might have a lot of resources defined as disabled user objects, installing the hotfix will make your life much easier!
     
    1:23 AM | Add a comment | Read comments (4) | Permalink | Blog it | Exchange