Associated external accounts Exchange 2007
Following an acquistion of another company B, we have established a full forest trust with the acquired company B's user domains.
We migrated some users from the acquired company B's users but their mailboxes are still with company B's mailbox servers. When Outlook 2003 fires up they are then prompted to authenticate with DomainB using their DomainB credentials. This
works fine, but causes no end of confusion (and support cost) with them using two sets of credentials.
What I would like to achieve in the meantime is to give their migrated acount full permissions to their Exchange 2007 DomainB mailbox so that they are not prompted to authenticate every time Outlook is fired up. However, if I change their mailbox to
a linked mailbox, I believe that will disable logons for their DomainB account. This scenario was possible under Exchange 2003 (had it working), but I don't see how to achieve it under Exchange 2007.
So, how to create associated external account in Exchange 2007?
October 19th, 2010 5:06pm
Why don't you just give the account in the trusted domain Full Mailbox Access and Send As permissions. That achieves the same thing.
A linked mailbox isn't designed for the scenario that you have outlined, because of the lack of login to the account in the doamin with Exchange installed.
Simon.Simon Butler, Exchange MVP
Blog |
Exchange Resources
Free Windows Admin Tool Kit Click here and download it now
October 19th, 2010 7:13pm
On Tue, 19 Oct 2010 21:03:59 +0000, John JY wrote:
>
>
>Following an acquistion of another company B, we have established a full forest trust with the acquired company B's user domains.
>
>We migrated some users from the acquired company B's users but their mailboxes are still with company B's mailbox servers. When Outlook 2003 fires up they are then prompted to authenticate with DomainB using their DomainB credentials. This works fine,
but causes no end of confusion (and support cost) with them using two sets of credentials.
Did you add company B's SID to the migrated user account's sIDHistory
attribute in your directory?
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
October 19th, 2010 11:06pm
Thank you for the help.
>Did you add company B's SID to the migrated user account's sIDHistory
>attribute in your directory?
Yes. we migrated users in company B to company A with SID history enabled. But, right now, we can not move their malboxes to company A. So, these migrated users' mailoxes are still in company B. After we do user migaion with
SID hisstory, we have to reconfigure the outlook profile with the company B (source account) account as this is administrative overhead.
Is there a beter way to handle this?
Thank you.
Free Windows Admin Tool Kit Click here and download it now
October 20th, 2010 9:20am
Thank you.
>Why don't you just give the account in the trusted domain Full Mailbox Access and Send As
permissions. That achieves the same thing.
Do you know if we assign the rights as you described, will the account in the trusted domain access the
OWA?
Thank you.
October 20th, 2010 9:50am
Also, how do you assign the full mailbox access using the trusted domain account in another forest?
It seems that Exchange 2007 console can only recognize the local forest which the exchange server resides?
Thank you.
Free Windows Admin Tool Kit Click here and download it now
October 20th, 2010 10:06am
You will have to assign the permissions through ADUC, not the Management Console.
It should work for OWA as well.
Simon.Simon Butler, Exchange MVP
Blog |
Exchange Resources
October 20th, 2010 10:31am
Thank you.
I went through the ADUC advanced security tab and I could not find full mailbox access rights. This is Exchange 2007, not Exchange 2003.
My situation is this: Account: Migrated users of source domain in target domain,
exchange: their mailboxes are still in source domain
Now, when these users logon to the target domain, they need to access the mails and OWA which is in source domain.
I know the Exchange 2003 associated external account works fine. I do not know how we change users in the source domain to use
the linked account?
Thank you for the help.
Free Windows Admin Tool Kit Click here and download it now
October 20th, 2010 10:49am
Set Send As and Receive As. They do the same thing (you would have to set Send As anyway).
Simon.Simon Butler, Exchange MVP
Blog |
Exchange Resources
October 20th, 2010 11:31am
Thank you for the help.
Set the rights as you specified.
I can open the outlook (mail server in source domain) without any problem in the target domain.
But, when I access the OWA, I have to use the source domain account. They use forms-based authentication.
Since I can not put targetdomain\user in the logon screen, I have to use the source account to access the OWA.
Is there a way around?
Free Windows Admin Tool Kit Click here and download it now
October 20th, 2010 2:46pm
On Wed, 20 Oct 2010 13:17:10 +0000, John JY wrote:
>Thank you for the help. >Did you add company B's SID to the migrated user account's sIDHistory >attribute in your directory? Yes. we migrated users in company B to company A with SID history enabled. But, right now, we can not move their malboxes to company
A. So, these migrated users' mailoxes are still in company B. After we do user migaion with SID hisstory, we have to reconfigure the outlook profile with the company B (source account) account as this is administrative overhead. Is there a beter way to handle
this? Thank you.
So they log on to their desktop with credentials in Company A?
Disable the account in company B and assign the user in company A the
"Associated External Account" rights on the mailbox in company B.
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
October 20th, 2010 3:19pm
Thank you.
>So they log on to their desktop with credentials in Company A?
Yes.
>Disable the account in company B and assign the user in company A the
>"Associated External Account" rights on the mailbox in company B.
This is Exchange 2007 SP2 and I can not find this "Associated External Account"???
Can you help me on that?
Thank you.
Free Windows Admin Tool Kit Click here and download it now
October 20th, 2010 3:42pm
On Wed, 20 Oct 2010 19:41:01 +0000, John JY wrote:
>
>
>Thank you. >So they log on to their desktop with credentials in Company A? Yes. >Disable the account in company B and assign the user in company A the >"Associated External Account" rights on the mailbox in company B. This is Exchange 2007 SP2 and I can
not find this "Associated External Account"??? Can you help me on that? Thank you.
Use the "Add-MailboxPermission" cmdlet and add the "ExternalAccount"
access right for the user.
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
October 20th, 2010 10:01pm
Thank you.
I thought I need to make maibox to the linked mailbox in Exchange 2007.
>Use the "Add-MailboxPermission" cmdlet and add the "ExternalAccount"
>access right for the user.'=
This will assign users rights to the mailbox and how do I do associated external account?
(Exchange 2007 makes this very different than Exchange 2003.)
Thank you very much.
Free Windows Admin Tool Kit Click here and download it now
October 21st, 2010 10:03am
Thank you.
I thought I need to make maibox to the linked mailbox in Exchange 2007.
>Use the "Add-MailboxPermission" cmdlet and add the "ExternalAccount"
>access right for the user.'=
Do you have cmdlet for ExternalAccount or script for this?
Thank you very much.
October 21st, 2010 10:03am
On Thu, 21 Oct 2010 14:00:36 +0000, John JY wrote:
>I thought I need to make maibox to the linked mailbox in Exchange 2007.
>>Use the "Add-MailboxPermission" cmdlet and add the "ExternalAccount" access right for the user.
>This will assign users rights to the mailbox and how do I do associated external account? (Exchange 2007 makes this very different than Exchange 2003.) Thank you very much.
I'm not sure I understand that.
The account you're going to assign the ExternalAccount right to is the
one from the other AD forest.
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
October 21st, 2010 10:03pm
Thank you.
>The account you're going to assign the ExternalAccount right to is the
>one from the other AD forest.
Sorry and I probably misunderstood.
Here is the cmd for Add-mailboxpermission from MS:
Add-MailboxPermission [-Identity <MailboxIdParameter>] -Instance <MailboxAcePresentationObject> [-AccessRights <MailboxRights[]>] [-Confirm [<SwitchParameter>]] [-Deny <SwitchParameter>] [-DomainController <Fqdn>] [-InheritanceType
<None | All | Descendents | SelfAndChildren | Children>] [-User <SecurityPrincipalIdParameter>] [-WhatIf [<SwitchParameter>]]
I do not see "ExternalAccount" switch. What I ask: in Exchange 2003, we can check "Associated external Account".
in Exchange 2007, I do not see it??
Thank you for your support.
October 22nd, 2010 9:33am
On Fri, 22 Oct 2010 13:33:34 +0000, John JY wrote:
>>The account you're going to assign the ExternalAccount right to is the
>>one from the other AD forest.
>Sorry and I probably misunderstood. Here is the cmd for Add-mailboxpermission from MS:
>Add-MailboxPermission [-Identity <MailboxIdParameter>] -Instance <MailboxAcePresentationObject> [-AccessRights <MailboxRights[]>] [-Confirm [<SwitchParameter>]] [-Deny <SwitchParameter>] [-DomainController <Fqdn>] [-InheritanceType <None | All | Descendents
| SelfAndChildren | Children>] [-User <SecurityPrincipalIdParameter>] [-WhatIf [<SwitchParameter>]]
>I do not see "ExternalAccount" switch.
No, you don't. You see the "-AccessRights" parameter. "External
Account" is one of the possible "MailboxRights".
Use "help set-mailboxpermission -detailed" and you'll see the list of
possible values.
>What I ask: in Exchange 2003, we can check "Associated external Account". in Exchange 2007, I do not see it??
You use EMS to set the right, not the EMC.
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
October 22nd, 2010 9:25pm
Hi Rich,
Thank you.
Yes, I was able to see it now.
So, for this to work, I need to assign the account master (account forest) to full access, Extenal Account access rights and disable the account in the resource forest?
What's the difference between the above steps and linked mailboxes?
Thank you for your support.
October 25th, 2010 11:42pm
On Mon, 25 Oct 2010 20:42:01 +0000, John JY wrote:
>So, for this to work, I need to assign the account master (account forest) to full access, Extenal Account access rights and disable the account in the resource forest?
>What's the difference between the above steps and linked mailboxes?
There is none. Usually, a Linked Mailbox is created as a Linked
Mailbox. You have one that's a regular old mailbox that you want to
use as if it were a linked mailbox.
I know there's no (supported) way to turn a linked mailbox into a
regular mailbox. I've never tryed to turn a regular mailbox into a
linked mailbox, though. Try it on a test mailbox and see if works.
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
October 25th, 2010 11:54pm
Hi Rich,
Thank you for your continuing support.
>So, for this to work, I need to assign the account master (account forest) to full access, Extenal Account access rights and disable the account in the resource forest?
Are these right steps? I just enabled one user in the account forest to have fullaccess and externalaccount to the testuser mailbox in the resource forest
get-mailbox testuser | Add-mailboxpermission -accessrights fullaccess,externalaccount -user "account forest\user"
When I configure outlook 2003, I have no problem to access testuser mailbox when I logon "account forest\user"
But, I can not access the OWA by using "account forest\user". The resource forest uses form based authentication.
What might I miss?
Thank you very much.
October 26th, 2010 12:50pm
On Tue, 26 Oct 2010 16:45:50 +0000, John JY wrote:
>
>
>Hi Rich,
>
>Thank you for your continuing support.
>
>>So, for this to work, I need to assign the account master (account forest) to full access, Extenal Account access rights and disable the account in the resource forest?
>
>Are these right steps? I just enabled one user in the account forest to have fullaccess and externalaccount to the testuser mailbox in the resource forest
>
>get-mailbox testuser | Add-mailboxpermission -accessrights fullaccess,externalaccount -user "account forest\user"
>
>When I configure outlook 2003, I have no problem to access testuser mailbox when I logon "account forest\user"
>
>But, I can not access the OWA by using "account forest\user". The resource forest uses form based authentication.
>
>What might I miss?
It may not be you. :-)
OWA may insist that the RecipientTypeDetails of the mailbox be
"LinkedMailbox" (that'd be a value of "2").
Follow this to change that "testuser" mailbox and see if it makes a
difference:
http://technet.microsoft.com/en-us/library/bb201694(EXCHG.80).aspx
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
October 26th, 2010 10:59pm
Hi Rich,
Thank you.
So, Exchange 2007's linked mailbox is more like the Exchange 2003's external associated account?
October 27th, 2010 9:30am
On Wed, 27 Oct 2010 13:24:07 +0000, John JY wrote:
>Hi Rich,
>
>Thank you.
>
>So, Exchange 2007's linked mailbox is more like the Exchange 2003's external associated account?
The "ExternalAccount" permission is the "Associated External Account"
permission. But Exchange 2007 adds additional properties to a
mailbox-enabled user that identify the type of mailbox. If the
recpient type details aren't identifying the mailbox as a linked
mailbox then OWA (or the CAS) may not allow the connection.
Did you try recreating that user's mailbox as a linked mailbox?
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
October 27th, 2010 10:07pm
Thank you.
>Did you try recreating that user's mailbox as a linked mailbox?
Yes, through EMC and EMS. I can access OWA. just need to figure out how to script them by storage group?
Now, I need to find out whether there is an issue to move linked mailboxes to Exchange 2010 servers in the future?
Is there any?
Thank you.
October 28th, 2010 2:00pm
On Thu, 28 Oct 2010 17:55:06 +0000, John JY wrote:
>>Did you try recreating that user's mailbox as a linked mailbox?
>Yes, through EMC and EMS. I can access OWA. just need to figure out how to script them by storage group?
You should have only one database per storage group so you can use
"get-mailbox" with the "-database" parameter.
>Now, I need to find out whether there is an issue to move linked mailboxes to Exchange 2010 servers in the future? Is there any?
None that I know of.
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
October 28th, 2010 9:01pm
Thank you.
>Yes, through EMC and EMS. I can access OWA. just need to figure out how to script them by storage group?
You should have only one database per storage group so you can use
"get-mailbox" with the "-database" parameter
I guess that I can not script them by storage group. How do I match each resource account with linked master Account?
Also,
>The "ExternalAccount" permission is the "Associated External Account"
>permission. But Exchange 2007 adds additional properties to a
>mailbox-enabled user that identify the type of mailbox. If the
>recpient type details aren't identifying the mailbox as a linked
>mailbox then OWA (or the CAS) may not allow the connection.
I read some posts that change recipientypedetails from 2 to 1 through ADSIedit which turns the linked mailbox to user mailbox.
Just wonder if we do the opposite way : change recipienttypedetails from 1 to 2, will it change the user mailbox to linked mailbox?
That means that I do not do all these:disable mailbox, disable account and reconnect mailbox for converting user mailbox to linked mailbox. Do you know whether this would work?
Another question: can we enable the account through ADUC after converting user mailbox to linked mailbox?
Thank you for your generous time and help.
October 30th, 2010 5:10pm
On Sat, 30 Oct 2010 21:06:38 +0000, John JY wrote:
>Thank you.
>>>Yes, through EMC and EMS. I can access OWA. just need to figure out how to script them by storage group?
>>You should have only one database per storage group so you can use "get-mailbox" with the "-database" parameter
>I guess that I can not script them by storage group.
Not directly, but you can get all the databases in a storage group and
process them one at a time.
>How do I match each resource account with linked master Account? Also,
That's up to you, isn't it? You could put the information into a CSV
file, I suppose.
>>The "ExternalAccount" permission is the "Associated External Account"
>>permission. But Exchange 2007 adds additional properties to a
>>mailbox-enabled user that identify the type of mailbox. If the
>>recpient type details aren't identifying the mailbox as a linked
>>mailbox then OWA (or the CAS) may not allow the connection.
>I read some posts that change recipientypedetails from 2 to 1 through ADSIedit which turns the linked mailbox to user mailbox. Just wonder if we do the opposite way : change recipienttypedetails from 1 to 2, will it change the user mailbox to linked mailbox?
That means that I do not do all these:disable mailbox,
>disable account and reconnect mailbox for converting user mailbox to linked mailbox. Do you know whether this would work?
It will change the RecipientTypeDetails, but it won't do anything
else.
>Another question: can we enable the account through ADUC after converting user mailbox to linked mailbox?
Yes.
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
October 30th, 2010 5:26pm
Hi Rich,
Thank you.
>>I read some posts that change recipientypedetails from 2 to 1 through ADSIedit which turns the linked mailbox to user mailbox. Just wonder if we do the opposite way : change recipienttypedetails from 1 to 2, will it change the user mailbox to linked
mailbox? That means that I do not do all these:disable mailbox,
>disable account and reconnect mailbox for converting user mailbox to linked mailbox. Do you know whether this would work?
>It will change the RecipientTypeDetails, but it won't do anything
else.
That means that I have to follow
http://technet.microsoft.com/en-us/library/bb201694(EXCHG.80).aspx to convert user mailbox to linked mailbox?
If I convert user mailbox to linked mailbox, I do not need to assign full rights and external rights to the account master(for OWA and outlook). Is this correct?
>>Another question: can we enable the account through ADUC after converting user mailbox to linked mailbox?
>Yes.
I remember that in Exchange 2003 it's not recommended that you enalbe account after you check "external associated account".
any drawback on enabling the account through ADUC after converting user mailbox to linked mailbox in Exchange 2007?
Thank you for your help.
October 31st, 2010 4:33pm
On Sun, 31 Oct 2010 20:28:52 +0000, John JY wrote:
>>>I read some posts that change recipientypedetails from 2 to 1 through ADSIedit which turns the linked mailbox to user mailbox. Just wonder if we do the opposite way : change recipienttypedetails from 1 to 2, will it change the user mailbox to linked
mailbox? That means that I do not do all these:disable mailbox, disable account and reconnect mailbox for converting user mailbox to linked mailbox. Do you know whether this would work?
>>It will change the RecipientTypeDetails, but it won't do anything else.
>That means that I have to follow http://technet.microsoft.com/en-us/library/bb201694(EXCHG.80).aspx to convert user mailbox to linked mailbox?
Yes, either one-at-a-time or by scripting the process.
>If I convert user mailbox to linked mailbox, I do not need to assign full rights and external rights to the account master(for OWA and outlook). Is this correct?
You'll have an "account forest" and a "resource forest". In the
account forest the user is enabled and uses that account to log on.
In the resource forest the account is disabled and isn't used for
authentication at all, so the account should be disabled.
In order for the account in the account forest to use the mailbox in
the resource forest the resource forrest account must nominate the
account forest account as the "External Account". That should be
sufficient since the "SELF" account has the Full Mailbox Access
permission.
>>>Another question: can we enable the account through ADUC after converting user mailbox to linked mailbox?
>>Yes.
>I remember that in Exchange 2003 it's not
>recommended that you enalbe account after you check "external associated account". any drawback on enabling the account through ADUC after converting user mailbox to linked mailbox in Exchange 2007?
Enabling the account won't hurt anything, but it's unusual to see it
enabled in a resource forest.
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
October 31st, 2010 5:24pm
Hi Rich,
Sorry to bother you again.
>In order for the account in the account forest to use the mailbox in
>the resource forest the resource forrest account must nominate the
>account forest account as the "External Account". That should be
>sufficient since the "SELF" account has the Full Mailbox Access
>permission.
Just wonder if I follow
http://technet.microsoft.com/en-us/library/bb201694(EXCHG.80).aspx to convert existing user mailboxes to linked mailbox
I do not see "External Account" mailbox permission I need to specify. Does the linkedmasteraccount serve the same purpose?
Thank you for your time and help.
November 2nd, 2010 10:03am
On Tue, 2 Nov 2010 13:58:05 +0000, John JY wrote:
>Sorry to bother you again. >In order for the account in the account forest to use the mailbox in >the resource forest the resource forrest account must nominate the >account forest account as the "External Account". That should be >sufficient since the
"SELF" account has the Full Mailbox Access >permission. Just wonder if I follow http://technet.microsoft.com/en-us/library/bb201694(EXCHG.80).aspx to convert existing user mailboxes to linked mailbox I do not see "External Account" mailbox permission I need
to specify. Does the linkedmasteraccount serve the same purpose? Thank you for your time and help.
Yes.
help connect-mailbox -detailed
..
..
..
-LinkedMasterAccount <UserIdParameter>
The LinkedMasterAccount parameter specifies the master account in
the forest where the user account resides, if this mailbox is a
linked mailbox. The master account is the account to which the
mailbox links. The master account will grant access to the
mailbox. You can use one of the following values:
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
November 2nd, 2010 8:26pm
So stupid, another admin function that was left out of the EMC..
July 11th, 2011 7:55pm