Re: mailbox Association External Account

  • From: Danny <nocmonkey@xxxxxxxxx>
  • To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
  • Date: Mon, 25 Apr 2005 10:13:39 -0400

On 4/25/05, Manjeet Singh <Manjeet.Singh@xxxxxxxxxxx> wrote:
> What is association external account permission? For what features it used
> for? 

(First link has plenty of info.)

" Study Associated External Accounts
There are only two instances where you want to use associated external
accounts. Learn what they are and how they benefit you during Exchange
by Chris Fox

September 2003 Issue

What is an associated external account and when should I use it? What
has it got to do with the msExchMasterAccountSID and the SELF account?

An associated external account is an account from another domain (NT
or Active Directory) that has been given permissions to fully access
an Exchange 2000 mailbox. There are only a few instances when you
would use an associated external account. One is when you're migrating
from Windows NT 4.0 and Exchange 5.5 to Windows 2000 Active Directory
(AD) and Exchange 2000, the other is when you're using a separate
Windows 2000 domain as a resource domain (and forest) for Exchange

I'll address the second scenario first. In this case, you probably
have a Windows 2000 AD forest structure. For security purposes,
domain-wide account policies, and identity, you partitioned it into
multiple forests; I'll call them A (accounts) and E (Exchange). This
might be the case if the business units housed in those forests are
competitors and can't (or won't) share administrative
responsibilities, but the overall company must share the same
centrally administered Exchange infrastructure in forest E. So, you
need to allow users in forest A to use mailboxes in forest E.

First, you must make sure you've created the appropriate inter-forest
trusts between A and E. You must create them manually and they're
therefore non-transitive. Next, you must create one disabled user
account in forest E for every account in forest A that needs to use a
mailbox. You can do this with the Active Directory Migration Tool
(ADMT), Clone Principle, or a third-party tool.

Once this is done, using the Advanced Features from the View menu in
Active Directory Users and Computers (ADUnC), open the disabled user
account properties and navigate to the Exchange Advanced tab and click
on the Mailbox Rights button. This brings up a dialog box where you
can add the account from the foreign forest/domain and choose to allow
or deny the associated external account (see Figure 1). Note you'll
also be required to grant the external account full mailbox access.
Now the user can log on to their account domain, create a MAPI profile
that points to the correct mailbox in Exchange 2000, and connect.

In the first scenario, migrating from Exchange 5.5 to 2000, you must
be aware of two important items: the msExchMasterAccountSID and the
SELF account. The msExchMasterAccountSID is an attribute of the
mailbox-enabled, disabled user account that gets populated with the
Security Identifier (SID) of the NT 4.0 account when you use Active
Directory Connector (ADC) to populate AD from the Exchange 5.5
directory. There are some cases in which this doesn't happen correctly
and you must manually assign the SELF account external associated
account permissions on the mailbox-enabled account. The SELF account
has a well known value to be used for the msExchMasterAccountSID (see
Resources). Once you've populated the AD with disabled user accounts,
you can use the ADUnC to move the mailboxes from an Exchange 5.5
server to an Exchange 2000 server in the same Exchange Site. If, after
the mailbox move, the user can't access the mailbox, check the
permissions to ensure that at least the SELF account is there. Better
yet, using Windows tools such as LDIFDE, LDP, or ADSI Edit, check the
properties of the account and ensure that the msExchMasterAccountSID
has been populated appropriately. The NT 4.0 account should have been
granted Send As on the user permissions, and Read, Associated External
Account and Full Mailbox Rights on the mailbox permissions.

About the Author
Chris Fox is a senior systems engineer with a major company where he
specializes in architecting and implementing enterprise scale
solutions based on the Microsoft platform. He was previously a senior
solutions consultant with Compaq. He can be reached at
Back to top "


Other related posts: