Purpose of “Associated External Account” Exchange 2003

pts.
Tags:
Microsoft Exchange
Microsoft Outlook
Hello Everyone, Can anyone please explain to me the purpose of the "Associated External Account" permissions option available-- -->Under Active Directory Users and Computers -->the Exchange Advanced tab --> Mailbox Rights I know if you have a separate forest and you want to give permissions to a user from another forest you would have to give this permission so that this user can access the mailbox. Is there any other purpose to this permission option? Thanks in advance! aknair

Answer Wiki

Thanks. We'll let you know when a new response is added.

Hi !!

An associated external account is an account from another domain (NT or Active Directory) that has been given permissions to fully access an Exchange 2000 mailbox. There are only a few instances when you would use an associated external account. One is when you’re migrating from Windows NT 4.0 and Exchange 5.5 to Windows 2000 Active Directory (AD) and Exchange 2000, the other is when you’re using a separate Windows 2000 domain as a resource domain (and forest) for Exchange 2000.

I’ll address the second scenario first. In this case, you probably have a Windows 2000 AD forest structure. For security purposes, domain-wide account policies, and identity, you partitioned it into multiple forests; I’ll call them A (accounts) and E (Exchange). This might be the case if the business units housed in those forests are competitors and can’t (or won’t) share administrative responsibilities, but the overall company must share the same centrally administered Exchange infrastructure in forest E. So, you need to allow users in forest A to use mailboxes in forest E.

First, you must make sure you’ve created the appropriate inter-forest trusts between A and E. You must create them manually and they’re therefore non-transitive. Next, you must create one disabled user account in forest E for every account in forest A that needs to use a mailbox. You can do this with the Active Directory Migration Tool (ADMT), Clone Principle, or a third-party tool.

Once this is done, using the Advanced Features from the View menu in Active Directory Users and Computers (ADUnC), open the disabled user account properties and navigate to the Exchange Advanced tab and click on the Mailbox Rights button. This brings up a dialog box where you can add the account from the foreign forest/domain and choose to allow or deny the associated external account. Note you’ll also be required to grant the external account full mailbox access. Now the user can log on to their account domain, create a MAPI profile that points to the correct mailbox in Exchange 2000, and connect.

In the first scenario, migrating from Exchange 5.5 to 2000, you must be aware of two important items: the msExchMasterAccountSID and the SELF account. The msExchMasterAccountSID is an attribute of the mailbox-enabled, disabled user account that gets populated with the Security Identifier (SID) of the NT 4.0 account when you use Active Directory Connector (ADC) to populate AD from the Exchange 5.5 directory. There are some cases in which this doesn’t happen correctly and you must manually assign the SELF account external associated account permissions on the mailbox-enabled account. The SELF account has a well known value to be used for the msExchMasterAccountSID
(see http://support.microsoft.com/default.aspx?scid=kb;[LN];278966).
Once you’ve populated the AD with disabled user accounts, you can use the ADUnC to move the mailboxes from an Exchange 5.5 server to an Exchange 2000 server in the same Exchange Site. If, after the mailbox move, the user can’t access the mailbox, check the permissions to ensure that at least the SELF account is there. Better yet, using Windows tools such as LDIFDE, LDP, or ADSI Edit, check the properties of the account and ensure that the msExchMasterAccountSID has been populated appropriately. The NT 4.0 account should have been granted Send As on the user permissions, and Read, Associated External Account and Full Mailbox Rights on the mailbox permissions.

– Nilesh Roy. (nilesh@nileshroy.com)

Discuss This Question: 1  Reply

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Aknair
    Hello Nilesh, Thank you for that detailed explanation. Certainly made my life simpler :) Thanks again! aknair
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following