Microsoft KB Archive/319047

= You receive a non-delivery report when you send a message to a disabled account =

Article ID: 319047

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft Exchange Server 2003 Enterprise Edition
 * Microsoft Exchange Server 2003 Standard Edition
 * Microsoft Exchange 2000 Server Standard Edition
 * Microsoft Windows Small Business Server 2003 Premium Edition
 * Microsoft Windows Small Business Server 2003 Standard Edition

-



This article was previously published under Q319047



SYMPTOMS
When you try to send an e-mail message to a disabled account in Microsoft Exchange 2000 Server, you may receive a non-delivery report (NDR) similar to the following message:

Your message did not reach some or all of the intended recipients.

Subject:

Sent:

The following recipient(s) could not be reached:

Recipient on Date Time

The message reached the recipient's e-mail system, but delivery was refused. Attempt to resend the message. If it still fails, contact your system administrator.



CAUSE
This issue occurs because the disabled account does not have the msExchMasterAccountSid attribute. When an account is disabled, this field must be populated with a Windows NT Security Identifier (SID). At a minimum, the well-known SELF SID must be in the attribute.



WORKAROUND
To work around this issue, enable the disabled account.

Alternatively, to work around this issue if a small number of mailboxes is involved, generate an msExchMasterAccountSid attribute:
 * 1) On the View menu in the Active Directory Users and Computers snap-in, click Advanced Features.
 * 2) On the Exchange Advanced properties tab of the disabled user object that owns the mailbox, click Mailbox Rights, and then search the list of accounts for one that has the Associated External Account permission.
 * 3) If no account has this permission, grant the SELF Account, Associated External Account, and Full Mailbox Access permissions.

Note The SELF account is available in all Microsoft Windows 2000 domains. All SELF accounts share a well-known SID that is the same across all domains. If the SELF account is not already listed in the Permissions dialog box, you can add it by typing SELF as the account name.
 * 1) If the SELF account or another account currently has Associated External Account permissions, remove the Associated External Account permissions from that account.

Only one account at a time can have the Associated External Account permission. Therefore, to reset the permission, you must first remove this permission.
 * 1) Exit all properties dialog boxes for the user object. To do this, click OK at each level. Do not click Cancel.

Changes to permissions are not applied until you exit all properties dialog boxes.
 * 1) After the DsAccess cache is refreshed, the new configurations take effect. E-mail messages that are sent to the disabled account no longer generate NDRs.

You can use Lightweight Directory Access Protocol (LDAP) tools such as the ADSI Edit snap-in, the LDP utility, or Ldifde.exe to view the attributes of the user object and verify that the msExchMasterAccountSid attribute has been created. Because of directory replication and Exchange cache refresh latencies, you may have to wait up to two hours after you make the change before you can move the mailbox.

To set the msExchMasterAccountSid attribute for many disabled user accounts, you can use the Collaboration Data Objects for Exchange Management (CDOEXM) interface to modify the mailbox security descriptor. Starting with Exchange 2000 Server Service Pack 2 (SP2), a new interface is exposed in CDOEXM. This interface is named MailboxRights. This exposure lets you programmatically modify the mailbox security descriptor. For more information about how to script a bulk change of the msExchMasterAccountSid attribute, click the following article number to view the article in the Microsoft Knowledge Base:

322890 How to associate an external account with an existing Exchange 2000 mailbox

For information about other methods that you can use to set the msExchMasterAccountSid attribute for many disabled user accounts, contact Microsoft Product Support Services. For more information about the support options that are available from Microsoft, visit the following Microsoft Web site:

http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS

To determine how many disabled user accounts do not have the msExchMasterAccountSid attribute, you can generate an LDIF formatting export file. To do this, run the following Ldifde.exe command:

ldifde -f file.txt -d &quot;dc=domain,dc=com&quot; -l nothing -r &quot;(&(objectclass=user)(msexchuseraccountcontrol=2)(!msexchmasteraccountsid=*))&quot;

The following list describes the LDIFDE parameters:
 * -f: This switch indicates the export destination file.
 * -d: This switch indicates the Microsoft Windows domain from which to export user objects. For example, if the Active Directory Users and Computers management console for the domain lists the domain as .com, it would become &quot;dc=corp,dc=company,dc=com&quot;.
 * -l: This switch, if it is used, restricts the output to the export file of only the attributes that are enumerated by the switch. In this case, the non-existent attribute nothing is used so that only object names and not attributes are generated.
 * -r: This switch indicates the LDAP search filter by using the standard LDAP query syntax. You can also use this search string with Ldp.exe and other LDAP tools. In this case, the search is for all the user objects that are disabled (msExchMasterAccountControl value of 2) and that do not have an msExchMasterAccountSid attribute.

The following text is an example of the output file: dn: CN=AAA R1,OU=Recipients,DC=domain,DC=com changetype: add dn: CN=AAA R2,OU=Recipients,DC=domain,DC=com changetype: add

. . . . . For more information about how to use LDIFDE in Active Directory, click the following article number to view the article in the Microsoft Knowledge Base:

237677 Using LDIFDE to import and export directory objects to Active Directory

Note We do not recommend that you use the LDIFDE command-line utility or the ADSIEDIT tool to create, to modify, or to delete the msExchMasterAccountSid attribute. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

903158 A hotfix is available to modify the way that Exchange Server 2003 handles a disabled Active Directory user account that is associated with an Exchange Server 2003 mailbox

Additional query words: AD XADM

Keywords: kbprb KB319047

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.