Disabled Active Directory user account and mailbox on Exchange 2003
Microsoft released hotfix for dealing with disabled user account with associated Exchange Server 2003 mailbox.
Prior to this hotfix, the default behavior was that when you disable a user account, all e-mail will immediately begin to NDR. This is because disabled user accounts do not have a valid msExchMasterAccountSid attribute.
There were two solutions:
- Manually edit Mailbox rights and grant SELF account Full Mailbox Access and Associate External Account
- Tool NoMAS (No Master Account SID) which would automatically fix any and all accounts in the domain with missing msExchMasterAccountSid attribute
Now we have hotfix described in Article ID 903158.
A hotfix is available to modify the way that Exchange Server 2003 handles a disabled Active Directory user account that is associated with an Exchange Server 2003 mailbox
A disabled user account that is associated with an Exchange Server 2003 mailbox requires the Associated External Account right together with the msExchMasterAccountSid property for Exchange Server 2003 to successfully perform any one or more of the following actions:
- Enable a different user to log on to the mailbox
- Enable the mailbox to receive messages
- Include the mailbox in a public folder access control list
- Include the mailbox in a mailbox folder access control list
- Move the mailbox
- Enable the mailbox cleanup agent to successfully finish
The Microsoft Exchange Information Store service contains logic that assumes that every disabled user account that is associated with an Exchange Server 2003 mailbox has the Associated External Account right and the msExchMasterAccountSid property. If Exchange Server 2003 performs one of these actions on a disabled user account that does not have the msExchMasterAccountSid property, event ID 9548 is logged in the Application log. Additionally, the action that Exchange Server 2003 performed finishes unsuccessfully.
A hotfix is available to change the logic in the Microsoft Exchange Information Store service. After you apply this hotfix, the Microsoft Exchange Information Store service acts as if the msExchMasterAccountSid property is set to the well-known SELF SID value. Therefore, instead of finishing unsuccessfully, the Microsoft Exchange Information Store service uses the objectSid property of the disabled user account.