Directory synchronization is running and mailbox-enabling most of the users, but a few are not getting mailbox-enabled.
When you view the problem target object in Active Directory Users and Computers, it looks like a mix of a user and a contact.
For example, there are Account and Profile tabs present, but the Exchange tabs look like they belong to a contact (there is no information store information on the Exchange General tab and Mailbox Rights button is missing on the Exchange Advanced page).
This can be caused by synchronizing users that are members of protected groups from source to target.
To verify:
1. Open properties of affected AD object
2. Select Security tab and press Advanced
3. Verify the checkbox is selected for "Allow inheritable permissions to propagate to this objects". If checkbox is unselected it indicates that the object was or is a member of protected group.
Members of protected groups do not inherit permissions from the parent container, causing issues when directory synchronization is trying to apply permissions and mailbox-enable the objects. RUS on the target Exchange server is unable to stamp "MailboxGuid" because of the same reason.
The following list contains the protected groups in Windows 2000:
Enterprise Admins
Schema Admins
Domain Admins
Administrators
The following list contains the protected groups in Microsoft Windows Server 2003 and in Windows 2000 after you apply hotfix 327825 or after you install Windows 2000 Service Pack 4 (SP4):
Administrators
Account Operators
Server Operators
Print Operators
Backup Operators
Domain Admins
Schema Admins
Enterprise Admins
Cert Publishers
If the user is a member of a protected group, even when "Allow inheritable permissions to propagate to this object" checkbox is manually checked, active directory will remove it after a short period.
In order to resolve the problem, either remove these users from protected group, or clear the value of "adminCount" attribute and check the "Allow inheritable permissions.." checkbox on the user's object.
More information regarding this issue and possible ways of fixing it can be found in the following Microsoft KB articles:
Article ID 817433 - "Delegated permissions are not available and inheritance is automatically disabled":
http://support.microsoft.com/kb/817433/
Article ID 907434 - "The "Send As" right is removed from a user object after you configure the "Send As" right in the Active Directory Users and Computers snap-in in Exchange Server": http://support.microsoft.com/kb/907434/
© ALL RIGHTS RESERVED. Feedback 利用規約 プライバシー Cookie Preference Center