Title: Exchange and disabling accounts
Oh this is a fun one.
Straight up, as someone else mentioned, you can use nomas
to do this cleanup. However it isn't the most efficient tool if you have a lot
of them to clean up. I have sent MS docs on things I think need to be corrected
for it. I don't think they will be implemented though because they really don't
care about that tool, it is a thing to deal with an issue that really shouldn't
exist and wouldn't if the Exchange Dev folks would step up and rework those
aspects. In the meanwhile, LOTS of companies run into this and don't realize the
perf hits they are taking because of it. For some reason they made the
assumption that no one would simply disable an account unless they wanted it to
be a resource account. That is a rather large silly assumption in my mind but
hey, they made it, we live with it. I mean come on, why wouldn't you just delete
the mailbox versus just disable the account. The mailbox will hang around for a
while anyway if you need to reconnect it so it shouldn't be an issue right?
Wrong. Mailbox reconnects are a pain in the ass or in K3 you can use a crappy
wmi interface to do it which is still a pain in the ass. Also if you disconnect
a mailbox, you can't move it from one server to another, so if you have to do a
quick move because of issues, the movemailbox mechanism isn't available unless
you reconnect the disconnected mailboxes and then move them. I haven't talked to
a large Enterprise using Exchange that this isn't an issue
with.
Anyway...
With admod, you should be able to set the
msExchMasterAccountSid attribute with the new binary attribute update
capability, setting the SD is theoretically impossible with admod but I am not
entirely convinced of that yet as I haven't proven it to myself. The SD that has
to be updated is the msExchSD. Supposedly if the mailbox already exists in the
store, you can not successfully modify the msExchSD in the directory and have it
stick, you have to update the ACL in the store. I have not actually tried to do
this so I can't say if it is true or not. I have some measure of hope that it
may be possible because also according to the same documentation that says you
can't modify that SD in AD, it also says that that SD doesn't contain the
inherited ACEs and I have clearly seen that it does recently. So the docs are
wrong on at least that aspect of it. Maybe they are wrong on the other as
well.
Sorry about not having better news. This is just one of the
things I had encountered over the years that gets me pissy about
how Exchange uses AD. The permission structure is a nightmare with its
combination of AD ACLs in the config with AD ACLs on the mail objects and the
store ACLs and the MAPI folder property permissions, etc.
Anyway, your best bet is to use nomas and see how you like
it or write a script to do the ACL setting. This is the main KB you will want to
reference
Hi Everyone,
After users (with
mailboxes) leave the organization their user accounts are disabled for an amount
of time and after that they are deleted.
When a account is
disabled the attribute msExchUserAccountControl is set to 2. This tells exchange
to look at the attribute msExchMasterAccountSid for permissioning. However when
disabling a user account, exchange starts complaining with event ID 9548 (and
source = MSExchangeIS) if the user account is used in some ACL within exchange.
This happens because the attribute msExchMasterAccountSid is empty and is not
automatically populated when disabling the account. The solution to this is to
at least have one account on the exchange security descriptor of the mailbox of
the disabled user account with the permission "Associated External Account" and
if no account has this permission on the mailbox (which is default) the solution
is to at least at SELF with the permission "Associated External Account" through
the GUI of ADUC. This mentioned in Q328880.
I would like to do this
with ADMOD (automation) because several accounts exist in the domain that have
been disabled at once. So exchange is screeming in the event logs.
For one account the
syntax is:
admod -b "<USER-DN>" <attribute>:+:<ACE>
For multiple accounts
the syntax is:
adfind -default -f
"(&(objectclass=user)(msexchuseraccountcontrol=2)(!(msexchmasteraccountsid=*)))"
-dsq | admod <attribute>:+:<ACE>
In this case:
<attribute> =
ExchMailboxSecurityDescriptor
<ACE> = SELF with "Read" "Full Mailbox Access"
"Associated external account" translated to SDDL this is
D:(A;CI;CCDCLCRC;;;PS)"
I don't want to replace
the DACL, I just want to add an ACE for SELF with the permissions mentioned to
the ACL in the DACL.
Does anyone know how to
do this with ADMOD and how to specify <ACE> in this case?
If someone has other
suggestions/thought about this, I would love to hear them!
Thanks!
Cheers
#JORGE#
This e-mail and any
attachment is for authorised use by the intended recipient(s) only. It may
contain proprietary material, confidential information and/or be subject to
legal privilege. It should not be copied, disclosed to, retained or used by, any
other party. If you are not an intended recipient then please promptly delete
this e-mail and any attachment and all copies and inform the sender. Thank
you.
