Well, from my understanding you have a
choice of either giving SELF the associate external account permission or changing
it via ldif import to: AQEAAAAAAAUKAAAA I currently run a script I wrote to find
these accounts and change the attribute every few weeks… I’ll get
these guys to use my termination methods soon enough ;-) From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Hello; Endeed, i use admodify for 1 year because it's a
great tool that feet all my needs without having much knowledge in dev.....
like me :) AD 2003 has this option of bulk modify objects attributes
but it's a bit limitated. Alex: joe stated that you have to set associated
external account and the msExchangeMasterAccountSid attribute to self. I think that admodcmd
-dn "john doe" -s -grantselfaea is for "associated external account" and admodcmd -dn “john doe” -s
-grantselffullandread is to give Grants Full Mailbox Access and Read to SELF. But what about setting the msExchangeMasterAccountSid attribute to self ? Is it the
-grantselffullandread switch ? Regards, Yann De :
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Alex I wrote a batch file used during
terminations that included granting the SELF account the associate external
account permission. I used a tool called admodcmd. I believe this
is the site: http://blogs.technet.com/exchange/archive/2004/08/20/208045.aspx admodcmd -dn “john doe” -s
-grantselffullandread admodcmd -dn "john doe" -s
-grantselfaea -Alex From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Hi Everyone,
After users (with
mailboxes) leave the organization their user accounts are disabled for an
amount of time and after that they are deleted. When a account is disabled
the attribute msExchUserAccountControl is set to 2. This tells exchange to look
at the attribute msExchMasterAccountSid for permissioning. However when
disabling a user account, exchange starts complaining with event ID 9548 (and
source = MSExchangeIS) if the user account is used in some ACL within exchange.
This happens because the attribute msExchMasterAccountSid is empty and is not
automatically populated when disabling the account. The solution to this is to
at least have one account on the exchange security descriptor of the mailbox of
the disabled user account with the permission "Associated External
Account" and if no account has this permission on the mailbox (which is
default) the solution is to at least at SELF with the permission
"Associated External Account" through the GUI of ADUC. This mentioned
in Q328880. I would like to do this
with ADMOD (automation) because several accounts exist in the domain that have
been disabled at once. So exchange is screeming in the event logs. For one account the syntax
is: For multiple accounts the
syntax is: In this case:
I don't want to replace
the DACL, I just want to add an ACE for SELF with the permissions mentioned to
the ACL in the DACL. Does anyone know how to do
this with ADMOD and how to specify <ACE> in this case? Thanks! This e-mail and any attachment is for
authorised use by the intended recipient(s) only. It may contain proprietary
material, confidential information and/or be subject to legal privilege. It
should not be copied, disclosed to, retained or used by, any other party. If
you are not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you. |
Title: Exchange and disabling accounts
- RE: [ActiveDir] Exchange and disabling accounts Alex Fontana