Microsoft KB Archive/251390

= How to find Exchange recipients that are associated with an NT account =

Article ID: 251390

Article Last Modified on 9/28/2007

-

APPLIES TO


 * Microsoft Active Directory Service Interfaces 1.0
 * Microsoft Active Directory Service Interfaces 2.0
 * Microsoft Active Directory Service Interfaces 2.5
 * Microsoft Exchange Server 5.5 Standard Edition
 * Microsoft Exchange Server 5.5 Service Pack 1
 * Microsoft Exchange Server 5.5 Service Pack 2
 * Microsoft Exchange Server 5.5 Service Pack 3

-



This article was previously published under Q251390





SUMMARY
The sample code in this article uses Active Directory Services Interfaces (ADSI) along with a resource kit object from the Platform SDK to find all of the mailboxes linked to a particular Windows Domain account.

A Microsoft Exchange Server recipient may have a primary Windows Domain account associated with it. Since it is most common to associate a Windows Domain account with a mailbox, this article refers to the recipient as such. However, it is worth noting that a Windows Domain account can be linked with a custom recipient as well. In both cases, this link is created by storing the security identifier (SID) of the Windows Domain account in an attribute on the object in the directory.

back to the top

Find recipients that are associated with an NT account
ADSI has a Lightweight Directory Access Protocol (LDAP) provider that can be used to retrieve information from the Exchange directory. The mailbox attribute which stores the Primary Windows Domain account has an LDAP name of Assoc-NT-Account. The Assoc-NT-Account attribute does not contain the security account's textual name, but rather a binary string representation of the SID. Every object in the Windows NT Security Domain has an SID. Also, most of the objects, such as Windows NT user accounts, have names that can be displayed as MyDomain\MyUserName.

The example below takes the domain and username of a Windows Domain account as inputs. It retrieves the SID for that account from the primary domain controller as an array of bytes. Next, it converts the binary array into the string representation format that the SID is stored in by Exchange. Finally, the example queries Exchange for all Assoc-NT-Account attributes with that value and displays them.

The code below requires that both the ADSI run time and the ADsSecurity.dll file are properly installed on the system. The ADsSID class of the ADsSecurity object is used to retrieve the SID and covert it into the string representation. This process could be done in an application without the use of this object. However, it is included here so that the example can be used in a scripting environment.

'Dim oConn As ADODB.Connection 'Dim oRS As ADODB.Recordset 'Dim oSid As ADSSECURITYLib.ADsSID 'Dim strServerName As String 'Dim strDomain As String 'Dim strUsername As String 'Dim strSid As String 'Dim strQuery As String

Const ADS_SID_HEXSTRING = 1 Const ADS_SID_WINNT_PATH = 5

'To Do: replace with proper names in the environment strServerName = "MyExchangeServer" strDomain = "MyDomain" strUsername = "MyUsername"

Set oSid = CreateObject("ADsSid") 'from ResourceKit oSid.SetAs ADS_SID_WINNT_PATH, "WinNT://" & strDomain & "/" & strUsername 'Get the user account SID strSid = oSid.GetAs(ADS_SID_HEXSTRING) 'Convert to binary string

strQuery = ";(&(objectCategory=person)(Assoc-NT-Account=" & strSid & "));adspath,cn,mail;subtree"

Set oConn = CreateObject("ADODB.Connection") 'Create an ADO Connection oConn.Provider = "ADsDSOOBJECT"             ' ADSI OLE-DB provider oConn.Open "ADs Provider" Set oRS = oConn.Execute(strQuery)

If oRS.BOF And oRS.EOF Then MsgBox "Unable to retrieve your information" Else While Not oRS.EOF MsgBox "Mailbox : " & oRS.Fields("cn") & vbLf & "Email : " & oRS.Fields("mail") oRS.MoveNext Wend End If

'Clean Up Set oSid = Nothing oRS.Close oConn.Close Set oRS = Nothing Set oConn = Nothing back to the top

