Granting Access to External Accounts

If you have to grant access to accounts that are not part of the Exchange Server 2003 organization's Active Directory forest, the procedures are the same as those described elsewhere.

If you use a mailbox's Mailbox Rights dialog box (in Active Directory Users and Computers) to grant permissions such as Full Mailbox Access to delegate users, you might have noticed a permission named Associated External Account. To avoid confusion about when to use (or more frequently, not to use) this value, consider the following guidelines:

• Although it is displayed in the list of permissions, the Associated External Account attribute is not a true permission. It is meant to be used only when the mailbox itself is associated with a disabled account, and the disabled account is associated with another user account (typically a Windows NT Server 4.0 account that has not yet been migrated to Active Directory).

  If the mailbox has a typical, enabled Active Directory account, setting the Associated External Account attribute can cause odd behavior such as lost permission settings.

• If the users to whom you want to grant delegate access reside in a domain outside the Active Directory forest (such as in a Windows NT Server 4.0 domain or in a separate Active Directory forest), you can add those users to the list in the permissions dialog box in the way you would any other users. Do not try to set the Associated External Account attribute for any delegate user. Associated External Account can only be used one time per mailbox, and only under the condition outlined previously. It does not affect delegates in any way.