-
Title
How do I set Associated External Account (msExchMasterAccountSID) on disabled source or target accounts -
Description
Can Migration Manager for AD set Associated External Account (AEA also known as msExchMasterAccountSID) during a migration session, or when running a directory synchronization, to set the matched account on the opposite side of the domain pair?
-
Resolution
To stamp the msExchMasterAccountSID on the target mailbox (making the source account the owner)
BY DEFAULT (ONLY DURING INITIAL SYNCHRONIZATION, not Resynchronization) - Directory Synchronization creates target accounts disabled, (As long as the checkbox on the "Set Source Scope" screen is checked in the Synchronization Properties) this is so that source accounts can access target mailboxes as if they are the full owner. To accomplish this the DSA adds the AEA (msExchMasterAccountSID) attribute to the disabled target accounts of the matched source AD object (OjbectSID).To enable setting of msExchMasterAccountSID for already existing target mailboxes do the following:
1. Stop Sync (AD).2. Disable the target user accounts.3. Ensure that "Disable Target Accounts" on the directory sync properties is ticked as per the attached screenshot.4. Start Full ReSync (AD).To stamp the msExchMasterAccountSID on the source mailbox (making the target account the owner)
Create a Migration Session with the option to "Disable Source Account, "Enable Target Account" checkboxes are selected.
Source accounts will be disabled. This process grants Target accounts access to source mailboxes as if they are the full owner. To accomplish this DSA adds AEA (msExchMasterAccountSID) attribute on every disabled Source account to the matched target AD object (ObjectSID)
Note, if a target account attempts to work in the target mailbox and MSExchMasterAccountSID isn't cleared from the target mailbox, they will find they do not have Full Control because the source account is still the owner. The above procedure using a migration session can be run to CLEAR the MSExchMasterAccountSID) from the target AD mailbox.
PLEASE NOTE:Before disabling source accounts review the following KB as it can have serious repercussions for mail and Public Folder permissions in source:
https://support.quest.com/kb/61173
When disabled accounts are natively enabled in AD, this will not clear the AEA (msExchMasterAccountSID) attribute. Since it's not recommended to have an enabled account with the AEA configured, other tools can be used to resolve this inconsistency such as the NoMAS Tool from Microsoft Product Support Services etc. Please refer to the following Microsoft KB articles for more information:
http://support.microsoft.com/kb/555410/en-us
http://support.microsoft.com/kb/278966 -
Defect ID
CR0178600