RE: Major problems after migrating to Exchange 2000 last weekend

  • From: bparker@xxxxxxxxxxxxx
  • To: exchangelist@xxxxxxxxxxxxx
  • Date: Mon, 18 Aug 2003 02:57:44 -0600

Hi Neil

Thanks for the reply - you can send a direct response to
porkah9999@xxxxxxxxxxx as well as the list if you wish.

The scenario you describe is exactly right - ADC then ADMT then AD Cleanup
and the associated external account attribute is created BUT this does not
give any client permissions. The way I understand it is that as part of
the mailbox migration/public folder replication, these client permissions
are effectively converted to W2003 SIDs. When the user logs in to W2003
domain, the permissions work fine (on both PFs and, for example,
individual calendars). But if a user logs in to the old NT domain (i.e
they have not yet undergone the "secondary" migration) the client
permissions do not even attempt to authenticate to the NT account, since
they are now associated solely with the new AD account.

Certainly this is the behaviour you actually see. 

My question therefore is there any way round this behaviour (I presume
this is working as designed as far as Microsoft are concerned) other than
to ADD the old NT account to the mailbox rights on the AD Mailbox enabled
account. This is a work-round but you CANNOT restrict access to say
calendar only.

Also is there anything that can be done as regards access to public
folders ? At the moment (for the same reason as above), if they login
using their NT account, the client permissions do notb try to authenticate
NT account so they have no access at all. If they login using new AD
account, everything is fine.

I suspect the ONLY answer is to migrate all the users so that they use
their new AD accounts, but this whole thing seems a little short-sighted
on behalf of Microsoft ?

Thanks in advance...

Other related posts: