RE: [ActiveDir] Exchange and disabling accounts

[Alex Fontana]

Title: Exchange and disabling accounts

I wrote a batch file used during terminations that included granting the SELF account the associate external account permission.  I used a tool called admodcmd.  I believe this is the site: http://blogs.technet.com/exchange/archive/2004/08/20/208045.aspx   admodcmd -dn “john doe” -s -grantselffullandread admodcmd -dn "john doe" -s -grantselfaea   -Alex From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Tuesday, June 07, 2005 6:57 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Exchange and disabling accounts   Hi Everyone, After users (with mailboxes) leave the organization their user accounts are disabled for an amount of time and after that they are deleted. When a account is disabled the attribute msExchUserAccountControl is set to 2. This tells exchange to look at the attribute msExchMasterAccountSid for permissioning. However when disabling a user account, exchange starts complaining with event ID 9548 (and source = MSExchangeIS) if the user account is used in some ACL within exchange. This happens because the attribute msExchMasterAccountSid is empty and is not automatically populated when disabling the account. The solution to this is to at least have one account on the exchange security descriptor of the mailbox of the disabled user account with the permission "Associated External Account" and if no account has this permission on the mailbox (which is default) the solution is to at least at SELF with the permission "Associated External Account" through the GUI of ADUC. This mentioned in Q328880. I would like to do this with ADMOD (automation) because several accounts exist in the domain that have been disabled at once. So exchange is screeming in the event logs. For one account the syntax is: admod -b "<USER-DN>" <attribute>:+:<ACE> For multiple accounts the syntax is: adfind -default -f "(&(objectclass=user)(msexchuseraccountcontrol=2)(!(msexchmasteraccountsid=*)))" -dsq | admod <attribute>:+:<ACE> In this case: <attribute> = ExchMailboxSecurityDescriptor <ACE> = SELF with "Read" "Full Mailbox Access" "Associated external account" translated to SDDL this is D:(A;CI;CCDCLCRC;;;PS)" I don't want to replace the DACL, I just want to add an ACE for SELF with the permissions mentioned to the ACL in the DACL. Does anyone know how to do this with ADMOD and how to specify <ACE> in this case? If someone has other suggestions/thought about this, I would love to hear them! Thanks! Cheers #JORGE# This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.