Hello;
Endeed, i use admodify for 1 year because it's a great tool
that feet all my needs without having much knowledge in dev..... like me
:)
AD 2003 has this option of bulk modify objects attributes but it's a bit
limitated.
Alex: joe stated that you have to set associated external account
and the msExchangeMasterAccountSid attribute to self.
I
think that admodcmd -dn "john doe"
-s -grantselfaea is for "associated external account"
and admodcmd -dn “john doe”
-s -grantselffullandread is to give Grants Full Mailbox Access and Read to
SELF.
But what about setting
the msExchangeMasterAccountSid attribute to self ? Is
it the -grantselffullandread switch
?
Regards,
Yann
De :
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
De la part de Alex Fontana
Envoyé : mardi 7 juin 2005 23:21 À : ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] Exchange and disabling accounts I wrote a batch file
used during terminations that included granting the SELF account the associate
external account permission. I used a tool called admodcmd. I
believe this is the site: http://blogs.technet.com/exchange/archive/2004/08/20/208045.aspx admodcmd -dn “john doe”
-s -grantselffullandread admodcmd -dn "john doe"
-s -grantselfaea -Alex From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Jorge de Almeida
Pinto Hi
Everyone, After
users (with mailboxes) leave the organization their user accounts are disabled
for an amount of time and after that they are
deleted. When a
account is disabled the attribute msExchUserAccountControl is set to 2. This
tells exchange to look at the attribute msExchMasterAccountSid for
permissioning. However when disabling a user account, exchange starts
complaining with event ID 9548 (and source = MSExchangeIS) if the user account
is used in some ACL within exchange. This happens because the attribute
msExchMasterAccountSid is empty and is not automatically populated when
disabling the account. The solution to this is to at least have one account on
the exchange security descriptor of the mailbox of the disabled user account
with the permission "Associated External Account" and if no account has this
permission on the mailbox (which is default) the solution is to at least at SELF
with the permission "Associated External Account" through the GUI of ADUC. This
mentioned in Q328880. I would
like to do this with ADMOD (automation) because several accounts exist in the
domain that have been disabled at once. So exchange is screeming in the event
logs. For one
account the syntax is: For
multiple accounts the syntax is: In this
case: I don't
want to replace the DACL, I just want to add an ACE for SELF with the
permissions mentioned to the ACL in the DACL. Does
anyone know how to do this with ADMOD and how to specify <ACE> in this
case? Thanks!
This e-mail and any
attachment is for authorised use by the intended recipient(s) only. It may
contain proprietary material, confidential information and/or be subject to
legal privilege. It should not be copied, disclosed to, retained or used by, any
other party. If you are not an intended recipient then please promptly delete
this e-mail and any attachment and all copies and inform the sender. Thank
you. |
Title: Exchange and disabling accounts
- RE: [ActiveDir] Exchange and disabling accounts TIROA YANN
- RE: [ActiveDir] Exchange and disabling account... Jorge de Almeida Pinto
- RE: [ActiveDir] Exchange and disabling account... Jorge de Almeida Pinto
- RE: [ActiveDir] Exchange and disabling account... Alex Fontana