Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Can't change mailbox rights 1

Status
Not open for further replies.
TimEdwards

TimEdwards

MIS
Mar 19, 2004
2
0
0
US
Hi,

I'm running Exchange 2003 on Win Server Standard 2003. I'm trying to edit mailbox rights on several accounts via Active Directory Users and Computers but whenever I attempt to apply any changes made I get the following message:

The user granted 'associated external account right' must also be granted 'full mailbox access right.

ID No: c1034ad4

Microsoft Active Directory - Exchange Extension


I'm not trying to change the Associate External Account right is not being selected. In fact this message is shown when attempting to make any rights changes on the account. I suspect the fact that the accounts affected have all been migrated from an Exchange 5.5 server may be a factor but can't find any mention on the MS knowledge base.

Any help appreciated.

Tim
 
Sort by date Sort by votes
The MSExchMailboxSecurityDescriptor attribute contains an ACL with a list of ACE entries for users that have permissions to the mailbox. When you check "Associated External Account" for one of those ACE entries, the ACE is copied to the MSExchMasterAccountSID attribute. This should never happen for an enabled user. A disabled user should have "SELF" added to MSExchMailboxSecurityDescriptor and "Associated External Account" should be checked for "SELF" meaning that the ACE for "SELF" should be copied to MSExchMasterAccountSID. "SELF" is a well known security identifier that is sort of a programmatic shortcut. Utilites like the Active Directory Connector will add "SELF" to save doing LDAP lookups for each account. The actual account can be used instead of "SELF", and many times is; however, permissions should always be the same if both are on the ACL and permissions should never be split between the two.

Sometimes this process breaks down and you see invalid values in the two attributes. At one time, certain tools would create invalid values. An example would be an exabled user with "Associated External Account" set, or an ACE in MSExchMasterAccountSID that does not exist in the ACL in MSExchMailboxSecurityDescripor. If this happens, delegate access and certain types of public folder access break. In the former case, try:


In the latter case, you'd have to call MS and ask for an internal tool to fix it.

XMSRE
MOSMWNMTK
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

BroBias
  • Locked
  • Question
mailbox databases dismounting frequently without followable reason
Replies
1
Views
556
BroBias
BroBias
david jackson
  • Locked
  • Question
Extract only the subject and recipients from a mailbox
Replies
0
Views
506
david jackson
david jackson
Trevor Gryffyn
  • Locked
  • Question
Removed Accepted Domain, now can't email that (now external) domain
Replies
2
Views
77
AdrianGates
AdrianGates
DrB0b
  • Locked
  • Question
Exchange 2019 Full Access to all mailboxes
Replies
3
Views
97
DrB0b
DrB0b
WozzaJ
  • Locked
  • Question
Sent Items Issue With Shared Mailbox
Replies
0
Views
45
WozzaJ
WozzaJ

Part and Inventory Search

Sponsor

Back
Top