sidHistory and msExchMasterAccountSID blues!
hello!
We have a situation that we need to remove the legacy sidHistory attribute on about 1500 users. While testing, we discovered by doing this it broke the user's mailbox association. to resolve this we had to remove exchange attributes, clean up agent and reconnect
mailbox.
We subsequently noticed that this occurs where the msExchMasterAccountSID value matches the sidHistory attribute value, and when the sidHistory is deleted, the user has no rights to his mailbox.
We have tested adding the SELF account and assigning it "Associated External Account" rights. Now when the sidHistory value is deleted, there is no impact on the user.
Question is how do I action this against the remaining 1499 users via script? I believe you can do it via CDOEXM, but scripting languages not being a forte of mine, I am not sure what I am looking at.
Below is a script I found, is this going to peform the SELF & Associated External Account rights assignment?
Option
Explicit
'Constant variable declarations
CONST ADS_ACETYPE_ACCESS_ALLOWED = 0
CONST ADS_ACETYPE_ACCESS_DENIED = 1
CONST ADS_ACETYPE_SYSTEM_AUDIT = 2
CONST ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = 5
CONST ADS_ACETYPE_ACCESS_DENIED_OBJECT = 6
CONST ADS_ACETYPE_SYSTEM_AUDIT_OBJECT = 7
CONST ADS_ACETYPE_SYSTEM_ALARM_OBJECT = 8
CONST ADS_RIGHT_DS_CREATE_CHILD = 1
CONST ADS_ACEFLAG_INHERIT_ACE = 2
'Used for Associate external account
Const E2K_MB_FULL_MB_ACCESS = &H1
Const E2K_MB_SEND_AS = &H2
Const E2K_MB_EXTERNAL_ACCOUNT = &H4
Const E2K_MB_READ_PERMISSIONS = &H20000
Const E2K_MB_TAKE_OWNERSHIP = &H80000
' ********************************************************************
' Change these variables according to your environment.
Const sUserADsPath = "LDAP://SERVER/CN=USER,CN=Users,DC=ExchangeLab,DC=com"
Const sTrustee = "NT AUTHORITY\SELF"
' ********************************************************************
Dim objUser
Dim oSecurityDescriptor
Dim dacl
Dim ace
Dim bFound
bFound = False
'Get directory user object.
Set objUser = GetObject(sUserADsPath)
' Get the Mailbox security descriptor (SD).
Set oSecurityDescriptor = objUser.MailboxRights
' Extract the Discretionary Access Control List (DACL) using the IADsSecurityDescriptor.
' Interface.
Set dacl = oSecurityDescriptor.DiscretionaryAcl
Set ace = CreateObject("AccessControlEntry")
AddAce dacl, sTrustee, E2K_MB_FULL_MB_ACCESS Or E2K_MB_EXTERNAL_ACCOUNT, ADS_ACETYPE_ACCESS_ALLOWED, ADS_ACEFLAG_INHERIT_ACE, 0, 0, 0
' Add the modified DACL to the security descriptor.
oSecurityDescriptor.DiscretionaryAcl = dacl
' Save new SD onto the user.
objUser.MailboxRights = oSecurityDescriptor
' Commit changes from the property cache to the information store.
objUser.SetInfo
wscript.echo "Done modifying the mailboxsecurity descriptor"
Stephane Favre
July 30th, 2012 9:20am
Been a while using admodify for exchange 2003, but you should able to bulk add exchange perms. In order to do bulk adds against the remaining mailboxes you need a common filter, or if you can't find a common filter you can just dump them all to
a temp OU given you know you won't break things for the users ie. GPO if you can do it quick just dump them into the temp ou and move them back to their original OUs. If you go this route you need to document which OUs the users were in so make sure you
do an ldifde dump of all your AD objects for backup.
James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
July 30th, 2012 10:15am
Been a while using admodify for exchange 2003, but you should able to bulk add exchange perms. In order to do bulk adds against the remaining mailboxes you need a common filter, or if you can't find a common filter you can just dump them all to
a temp OU given you know you won't break things for the users ie. GPO if you can do it quick just dump them into the temp ou and move them back to their original OUs. If you go this route you need to document which OUs the users were in so make sure you
do an ldifde dump of all your AD objects for backup.
James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
July 30th, 2012 10:22am
Yes, you can use Admodify to do that.
Introduction to ADModify.net
http://technet.microsoft.com/en-us/library/aa996216(v=exchg.65).aspx
Thanks,
Evan Liu
TechNet Subscriber Supportin
forum
If you have any feedback on our support, please contact
tngfb@microsoft.com Evan Liu
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
July 31st, 2012 3:47am
What is the best way to generate a "workable" list?
I have used the following:
adfind -default -f "objectcategory=user" samaccountname objectsid sidhistory msexchmasteraccountsid >C:\output.txt
However the output comes out as:
dn:CN=xxx,OU=Users,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=biz
>name: xxx
>objectSid: S-1-5-21-895308142-6885760-2067275281-24698
>sAMAccountName: xxx
>msExchMasterAccountSid: S-1-5-21-12604286-77816473-315576832-22540
However if either the sidhistory or msexchmasteraccountsid is not set, it is not returned and hence some entries dont have either. This makes it impossible to import into Excel.
Any other tools I can use to get this info?
Stephane Favre
July 31st, 2012 4:24am
answered my own question
csvde -f c:\sid.csv -r "(objectclass=User)" -l DN,name,SN,sAMAccountName,sIDHistory,msExchMasterAccountSid
Stephane Favre
Free Windows Admin Tool Kit Click here and download it now
July 31st, 2012 6:08am
answered my own question
csvde -f c:\sid.csv -r "(objectclass=User)" -l DN,name,SN,sAMAccountName,sIDHistory,msExchMasterAccountSid
Stephane Favre
July 31st, 2012 6:11am
On Tue, 31 Jul 2012 10:08:26 +0000, stephanef wrote:
>answered my own question
>
>csvde -f c:\sid.csv -r "(objectclass=User)" -l DN,name,SN,sAMAccountName,sIDHistory,msExchMasterAccountSid
Sometimes the oldies are still goodies. :-)
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
July 31st, 2012 11:10am
Any updates on your first issue?
Is ADModify help you?
Thanks,
Evan Liu
TechNet Subscriber Supportin
forum
If you have any feedback on our support, please contacttngfb@microsoft.comEvan Liu
TechNet Community Support
August 1st, 2012 4:55am