sidHistory and msExchMasterAccountSID blues!
hello! We have a situation that we need to remove the legacy sidHistory attribute on about 1500 users. While testing, we discovered by doing this it broke the user's mailbox association. to resolve this we had to remove exchange attributes, clean up agent and reconnect mailbox. We subsequently noticed that this occurs where the msExchMasterAccountSID value matches the sidHistory attribute value, and when the sidHistory is deleted, the user has no rights to his mailbox. We have tested adding the SELF account and assigning it "Associated External Account" rights. Now when the sidHistory value is deleted, there is no impact on the user. Question is how do I action this against the remaining 1499 users via script? I believe you can do it via CDOEXM, but scripting languages not being a forte of mine, I am not sure what I am looking at. Below is a script I found, is this going to peform the SELF & Associated External Account rights assignment? Option Explicit 'Constant variable declarations CONST ADS_ACETYPE_ACCESS_ALLOWED = 0 CONST ADS_ACETYPE_ACCESS_DENIED = 1 CONST ADS_ACETYPE_SYSTEM_AUDIT = 2 CONST ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = 5 CONST ADS_ACETYPE_ACCESS_DENIED_OBJECT = 6 CONST ADS_ACETYPE_SYSTEM_AUDIT_OBJECT = 7 CONST ADS_ACETYPE_SYSTEM_ALARM_OBJECT = 8 CONST ADS_RIGHT_DS_CREATE_CHILD = 1 CONST ADS_ACEFLAG_INHERIT_ACE = 2 'Used for Associate external account Const E2K_MB_FULL_MB_ACCESS = &H1 Const E2K_MB_SEND_AS = &H2 Const E2K_MB_EXTERNAL_ACCOUNT = &H4 Const E2K_MB_READ_PERMISSIONS = &H20000 Const E2K_MB_TAKE_OWNERSHIP = &H80000 ' ******************************************************************** ' Change these variables according to your environment. Const sUserADsPath = "LDAP://SERVER/CN=USER,CN=Users,DC=ExchangeLab,DC=com" Const sTrustee = "NT AUTHORITY\SELF" ' ******************************************************************** Dim objUser Dim oSecurityDescriptor Dim dacl Dim ace Dim bFound bFound = False 'Get directory user object. Set objUser = GetObject(sUserADsPath) ' Get the Mailbox security descriptor (SD). Set oSecurityDescriptor = objUser.MailboxRights ' Extract the Discretionary Access Control List (DACL) using the IADsSecurityDescriptor. ' Interface. Set dacl = oSecurityDescriptor.DiscretionaryAcl Set ace = CreateObject("AccessControlEntry") AddAce dacl, sTrustee, E2K_MB_FULL_MB_ACCESS Or E2K_MB_EXTERNAL_ACCOUNT, ADS_ACETYPE_ACCESS_ALLOWED, ADS_ACEFLAG_INHERIT_ACE, 0, 0, 0 ' Add the modified DACL to the security descriptor. oSecurityDescriptor.DiscretionaryAcl = dacl ' Save new SD onto the user. objUser.MailboxRights = oSecurityDescriptor ' Commit changes from the property cache to the information store. objUser.SetInfo wscript.echo "Done modifying the mailboxsecurity descriptor" Stephane Favre
July 30th, 2012 9:20am

Been a while using admodify for exchange 2003, but you should able to bulk add exchange perms. In order to do bulk adds against the remaining mailboxes you need a common filter, or if you can't find a common filter you can just dump them all to a temp OU given you know you won't break things for the users ie. GPO if you can do it quick just dump them into the temp ou and move them back to their original OUs. If you go this route you need to document which OUs the users were in so make sure you do an ldifde dump of all your AD objects for backup. James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
July 30th, 2012 10:15am

Been a while using admodify for exchange 2003, but you should able to bulk add exchange perms. In order to do bulk adds against the remaining mailboxes you need a common filter, or if you can't find a common filter you can just dump them all to a temp OU given you know you won't break things for the users ie. GPO if you can do it quick just dump them into the temp ou and move them back to their original OUs. If you go this route you need to document which OUs the users were in so make sure you do an ldifde dump of all your AD objects for backup. James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
July 30th, 2012 10:22am

Yes, you can use Admodify to do that. Introduction to ADModify.net http://technet.microsoft.com/en-us/library/aa996216(v=exchg.65).aspx Thanks, Evan Liu TechNet Subscriber Supportin forum If you have any feedback on our support, please contact tngfb@microsoft.com Evan Liu TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
July 31st, 2012 3:47am

What is the best way to generate a "workable" list? I have used the following: adfind -default -f "objectcategory=user" samaccountname objectsid sidhistory msexchmasteraccountsid >C:\output.txt However the output comes out as: dn:CN=xxx,OU=Users,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=biz >name: xxx >objectSid: S-1-5-21-895308142-6885760-2067275281-24698 >sAMAccountName: xxx >msExchMasterAccountSid: S-1-5-21-12604286-77816473-315576832-22540 However if either the sidhistory or msexchmasteraccountsid is not set, it is not returned and hence some entries dont have either. This makes it impossible to import into Excel. Any other tools I can use to get this info? Stephane Favre
July 31st, 2012 4:24am

answered my own question csvde -f c:\sid.csv -r "(objectclass=User)" -l DN,name,SN,sAMAccountName,sIDHistory,msExchMasterAccountSid Stephane Favre
Free Windows Admin Tool Kit Click here and download it now
July 31st, 2012 6:08am

answered my own question csvde -f c:\sid.csv -r "(objectclass=User)" -l DN,name,SN,sAMAccountName,sIDHistory,msExchMasterAccountSid Stephane Favre
July 31st, 2012 6:11am

On Tue, 31 Jul 2012 10:08:26 +0000, stephanef wrote: >answered my own question > >csvde -f c:\sid.csv -r "(objectclass=User)" -l DN,name,SN,sAMAccountName,sIDHistory,msExchMasterAccountSid Sometimes the oldies are still goodies. :-) --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
July 31st, 2012 11:10am

Any updates on your first issue? Is ADModify help you? Thanks, Evan Liu TechNet Subscriber Supportin forum If you have any feedback on our support, please contacttngfb@microsoft.comEvan Liu TechNet Community Support
August 1st, 2012 4:55am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics