Detecting and Correcting msExchMasterAccountSid Issues

A mailbox that is on a server that is running Microsoft® Exchange Server 2003 or Exchange 2000 Server must be linked to an Active Directory® directory service user account to be accessible. This link is accomplished by setting several Active Directory attributes on the mailbox. The Active Directory account to which the Exchange mailbox is linked can be in either an enabled or disabled state. A disabled Active Directory user account cannot be used to log on to the Active Directory domain.

The most common reason for linking an Exchange mailbox to a disabled Active Directory user account is to link a mailbox in one Active Directory forest to a Microsoft Windows® NT or Active Directory account outside the forest. You cannot directly associate a mailbox in one Active Directory forest with an external user account. Therefore, a disabled user account is used to accomplish this task indirectly. This is done by accomplishing the following tasks, not necessarily in the order listed:

• Mailbox-enable an Active Directory account (Account A) in the same Active Directory forest as the server that is running Exchange.

• Disable Active Directory Account A for logon. Only disabled accounts should be used for assigning a mailbox to an external-owning account.

• Grant the Full Mailbox Access and Read Permissions rights to a different account (Account B) that is external to the forest or that is a well-known security identifier (SID). See below for more information about well-known SIDs.

  The Full Mailbox Access right can be viewed and changed in the object properties for Account A. This right is visible in the Mailbox Rights dialog box on the Exchange Advanced page. This right can be granted to multiple accounts, both internal and external.

  Note

  For the Exchange Advanced properties pages to be visible in the Active Directory Users and Computers console, Exchange System Manager must be installed on the administrative workstation.

• Grant the Associated External Account right to the external account (Account B) or to a well-known SID.

  In most cases, SIDs in Windows are uniquely associated with a single account in a single Active Directory forest. A well-known SID is one that is associated with certain standard Windows accounts and that is the same for the same standard accounts across all forests. Self and Anonymous are two examples of accounts with generic well-known SIDs. For more information about well-known SIDs, see Knowledge Base article 243330, "Well-known security identifiers in Windows operating systems."

Only accounts external to the forest where Account A resides or accounts with well-known SIDs can be set as the Associated External Account. The Associated External Account setting is not actually a right, although it appears for convenience in the Mailbox Rights dialog box. It is instead a flag set in the mailbox security descriptor on Account A that identifies Account B as the external account that should “own” the mailbox.

You can set Associated External Account on only one account at a time. You must also grant Full Mailbox Access and Read Permissions rights to Account B before you can set it as the Associated External Account. Active Directory does not enforce simultaneous performance of all these tasks, nor does it enforce removal of the Associated External Account or msExchMasterAccountSid if an Active Directory account is re-enabled. This consideration is important because only disabled accounts should have a user with the Associated External Account right or the msExchMasterAccountSid attribute. When these attributes are not correctly set and synchronized, various issues may occur. These issues can include problems with mail delivery to the affected accounts, delegate and public folder access problems, and, if there are a large number of accounts involved, general performance issues with the server that is running Exchange. For more information about these issues, see the following Knowledge Base articles:

• 812276, "You receive an "Access denied" error message when you try to delete items that you posted to a Public Folder in Exchange 2000"

• 300456, "Client permissions and delegations do not persist after being assigned in Exchange 2000"

• 309222, "The Active Directory Cleanup Wizard sets the "msExchMasterAccountSID" attribute on the enabled users in Exchange 2000"

• 319047, "You receive a non-delivery report when you send a message to a disabled account"

• 278966, "You cannot move or log on to an Exchange resource mailbox"

It is possible to set the Associated External Account and the msExchMasterAccountSid to any well-known SID or external account. However, these values should only be assigned to either Self or to an external account. Designating other well-known SIDs as Associated External Accounts is not supported by Microsoft. Additionally, designating a security group as Associated External Account is not supported.

When an enabled Active Directory account is associated with an Exchange mailbox, the SID for the Active Directory account (objectSid) is used for performing mailbox security related functions.

As an example, consider a scenario in which one user uses Microsoft Office® Outlook to grant folder permissions to another user. In Outlook, you grant permissions to other mailboxes, not directly to Active Directory accounts. This indirection allows Outlook to recognize permissions for accounts that are not Active Directory-based, such as Exchange 5.5 Server accounts.

In Exchange Server 2003 and Exchange 2000 Server, when permission is granted in Outlook to another user’s folder, the normal method of implementing the permission is to grant permission to the SID of the Active Directory account associated with the mailbox. However, if that account is disabled, these permissions will not be useful. The account is prevented from being used to log on or grant access to resources. This is the point where the Associated External Account and the msExchMasterAccountSid become useful. They allow substitution of a different SID, the SID of the external account that actually owns the mailbox, when Exchange is evaluating security credentials.

If the Associated External Account flag is set on Account A’s Mailbox Rights properties, the SID listed in msExchMasterAccountSid will be used in security operations for that mailbox instead of the objectSid for Account A. The only exception is if the msExchMasterAccountSid value is the well-known Self account, in which case the objectSid will still be used. If the msExchMasterAccountSid value does not exist, whether or not the Associated External Account is set, security operations with the mailbox will fail. The Associated External Account and the msExchMasterAccountSid work in tandem. Therefore, it is critical that these rules be followed:

• An account must be disabled if it has an Associated External Account or msExchMasterAccountSid. No enabled Active Directory account should ever have either an Associated External Account or an msExchMasterAccountSid.

• Every logon-disabled Active Directory account that is mailbox-enabled must have both an Associated External Account and an msExchMasterAccountSid attribute.

You can search for enabled Active Directory accounts that have msExchMasterAccountSid attributes with the following LDAP query:

(&(objectCategory=user)(msExchUserAccountControl=0)(msExchMasterAccountSid=*))

This query can be used in various LDAP applications and scripts. For example, you can use it with the Windows 2000 Server and Windows Server™2003 Lightweight Directory Access Protocol (LDAP) Data Interchange Format (LDIF) directory export tool (LDIFDE) tool:

LDIFDE -F BadAccounts.txt -D "DC=CONTOSO,DC=COM" -R "(&(objectCategory=user)(msExchUserAccountControl=0)(msExchMasterAccountSid=*))"

Each of the accounts listed in BadAccounts.txt should be examined and the Associated External Account removed from them.

Removing the Associated External Account in the Mailbox Rights dialog box will automatically remove the msExchMasterAccountSid attribute. Setting the Associated External Account in the Mailbox Rights dialog box will automatically set the msExchMasterAccountSid attribute. This behavior occurs for both enabled and disabled Active Directory accounts.

Conversely, you can also search for disabled Active Directory user accounts that do not have an msExchMasterAccountSid value:

(&(objectCategory=user)(msExchUserAccountControl=2)(!(msExchMasterAccountSid=*)))

As a general rule, you are more likely to notice problems in your environment with disabled Active Directory accounts that do not have an msExchMasterAccountSid than with enabled accounts that do have an msExchMasterAccountSid. This situation occurs because no event is logged for enabled users with msExchMasterAccountSid.

For More Information

For more information about Active Directory and Exchange mailboxes, see Using Active Directory Attributes to Enable, Disable, and Re-Home Mailboxes.

For more information about moving Exchange mailbox databases, see Moving an Exchange Mailbox Database to Another Server or Storage Group.