Mails to disabled accounts and msExchMasterAccountSid
HiWe are running Exchange 2003 SP2.Let's say I have an account/mailbox for John.Smith@domain.comIf I disable his account (and wait for replication etc) and send his mailbox an email, I do NOT receive an NDR and the message goes to his mailbox. I can check this by giving myself Full Mailbox access to his mailbox and checking the Inbox.Apparently, if you disable an account and do not set the msExchMasterAccountSID attribute, the mailbox should be able to receive email. So, I used ADSIEdit and checked msExchMasterAccountSID - there was nothing set, the value was blank.Any ideas? The only thing I can think of is the NOMAS utility - however, even that is supposed to set the msExchMasterAccountSID attribute (not sure to what?) - so I am confused!Any ideas if the behaviour changes in Exchange 2007?Any help appreciated!
June 17th, 2009 10:00pm
Hi Joe,
I would like to know whether you have restarted the Information Store service after disable the user account.
According to following KB article:
A hotfix is available to modify the way that Exchange Server 2003 handles a disabled Active Directory user account that is associated with an Exchange Server 2003 mailbox
http://support.microsoft.com/?id=903158
A disabled user account that is associated with an Exchange Server 2003 mailbox requires the Associated External Account right together with the msExchMasterAccountSid property for Exchange Server 2003 to successfully perform any one or more of the following actions:
Enable a different user to log on to the mailbox
Enable the mailbox to receive messages
Include the mailbox in a public folder access control list
Include the mailbox in a mailbox folder access control list
Move the mailbox
Enable the mailbox cleanup agent to successfully finish
The Microsoft Exchange Information Store service contains logic that assumes that every disabled user account that is associated with an Exchange Server 2003 mailbox has the Associated External Account right and the msExchMasterAccountSid property. If Exchange Server 2003 performs one of these actions on a disabled user account that does not have the msExchMasterAccountSid property, event ID 9548 is logged in the Application log. Additionally, the action that Exchange Server 2003 performed finishes unsuccessfully.
Therefore, if you do not have the hotfix KB903158 installed, if the disable the user account does not have msExchMasterAccountSid property set, the user mailbox should not be able to receive message.
Mike
Free Windows Admin Tool Kit Click here and download it now
June 23rd, 2009 10:09am
Hi Mike,We do not have 903158 or 916783 (the one that applies to Exchange 2003 SP2) installed, yet I can still recv the message.One thing I notice is that that KB916783 contained these files:Exosal.dll - 6.5.7651.1Mdbmsg.dll - 6.5.7651.14Store.exe - 6.5.7651.14I checked our Exchange servers, and all our files are of a later version than this.In which case, would I be correct to assume that we would have implemented a later patch that contained this fix? Thanks!
June 23rd, 2009 10:24pm
Hi Joe,
Thanks for your response.
Based on my research,I do not found any hotfixes which will replace the KB916783. The hotfix 916783is scheduled to be included in Exchange 2003 Service Pack 3.
Nevertheless, on my lab, I installed the hotfix 919169 which also replaced the three files with a newer version:Exosal.dll 6.5.7651.45Mdbmsg.dll 6.5.7651.45 Store.exe 6.5.7651.45 I am able to receive message on the disabled account without msExchMasterAccountSid property set. I can also configure anther user to logon the mailbox.Mike
Free Windows Admin Tool Kit Click here and download it now
June 24th, 2009 9:02am