?
Solved

Open User's Mailbox after Disabling Account in AD

Posted on 2005-04-06
7
Medium Priority
?
1,435 Views
Last Modified: 2012-06-27
We had an employee leave the company so we disabled the account and the computer in AD. Although I have full permissions to all mailboxes, when I tried to add the employees mailbox to outlook, it let me. But then when I tried to expand the mailbox in Outlook it tells me "The set of folders could not be opened".

I thought this had to do with the account being disabled, so I re-enabled both accounts (the computer and the user) in AD. The same thing happens. Why can't I open this users mailbox?
0
Comment
Question by:DVation191
  • 3
  • 3
7 Comments
 
LVL 20

Expert Comment

by:ikm7176
ID: 13717032
0
 
LVL 20

Author Comment

by:DVation191
ID: 13717111
I read through it...and it makes sense. But my account is in the permissions as having full access. And before disabling the account I was able to open the mailbox no problem. I still don't know what is wrong. What is in that article you think I should be trying?
0
 
LVL 37

Assisted Solution

by:Jamie McKillop
Jamie McKillop earned 200 total points
ID: 13717584
Open the Properties page of the user in AD users and computers. Go to the Exchange Advanced tab. From the list of "group or user names:" select SELF. Click "Allow" beside "Associated external account".

You may need to wait some time before this change takes effect then you should be able to open the mailbox.

JJ
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 20

Accepted Solution

by:
ikm7176 earned 1800 total points
ID: 13717808
from the link i posted, read this part closely

Note, that the Full mailbox access (FMA) and the Read permissions is both set to Allow, but nothing else. This is the default settings for SELF. As you can see in the top of the dialog box, this mailbox is connected to the user Göran Husman – So SELF in this case is the user account Göran Husman. That is why SELF needs the FMA! If you remove the SELF object, the user cannot access his mailbox any longer – Fix this by adding the self object manually.

Note: Any modification of permissions may take up to two hours before it gets activated. This is because you must wait for the DSAccess cache to be refreshed, which, by default, is done every two hours!


The problem is that you have a disabled user account, which in turn tells Exchange that there is no primary owner of this mailbox.
This will end up with problems for that mailbox getting any new mail messages; they will all be returned to the sender with a non-delivery report (NDR).

This problem is similar to the example we discussed above (Adams mailbox): When you have a disabled user account, Exchange will look at the MEMAS property to see what user SID owns this mailbox. If no user account has been granted AEA, then MEMAS will be empty. So the solution is to grant SELF the AEA permission this time!

This applies to you

When you later on want to Enable Account, you must also remember to remove the AEA permission for the SELF object; otherwise Exchange will see two owners of this mailbox: the enabled account and the one with AEA permission.

Note: You may think that the ADUC should be smart enough to grant and remove the AEA permission automatically, but it doesn’t! You must do this manually!

So what do you do if you find lots of 9548 events? One way is to manually grant AEA permissions (for disabled accounts), or remove the AEApermissions (for enabled accounts). But if they are too many, you will be happy to know that Alex Seigler, MS PSS, has written a utility that does the search and fix of those things for you. This tool is called NOMAS (No Master Account SID), and will very soon be publicly available on this URL address: ftp://ftp.microsoft.com/PSS/Tools/Exchange%20Support%20Tools/.
0
 
LVL 20

Author Comment

by:DVation191
ID: 13717915
> "From the list of "group or user names:" select SELF. Click "Allow" beside "Associated external account". "
I checked off "allow" and waited ten minutes then tried to reconnect to the mailbox and got the same error.

> " Fix this by adding the self object manually. "
The SELF object is indeed there.

> "Note: Any modification of permissions may take up to two hours before it gets activated. This is because you must wait for the DSAccess cache to be refreshed, which, by default, is done every two hours!"
This is only only DC on which exchange runs but I'll wait the two hours just to be sure.

> "The problem is that you have a disabled user account, which in turn tells Exchange that there is no primary owner of this mailbox."
Ok I understand...I re-enabled the account and made the modifcation to SELF permissions, now I'll wait two hours to try again.

> "When you later on want to Enable Account, you must also remember to remove the AEA permission for the SELF object; otherwise Exchange will see two owners of this mailbox: the enabled account and the one with AEA permission. Note: You may think that the ADUC should be smart enough to grant and remove the AEA permission automatically, but it doesn’t! You must do this manually!"
Oh crap...ok so if AEA has allow permissions, the account needs to be disabled...if the account is enabled, AEA has to be removed from the permissions???





0
 
LVL 20

Assisted Solution

by:ikm7176
ikm7176 earned 1800 total points
ID: 13717997
You have to follow one of the 2 options  

1. Allow AEA, where you will not enable the account, or
2. Renable the account and grant the SELF account FMA

Read the article carefully again, you r getting confused. :)

Cheers !
0
 
LVL 20

Author Comment

by:DVation191
ID: 13718911
Ah, finally it worked! Sorry for the confusion...just glad I got it worked out...thanks guys.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you have come across a situation where you need to find some EDB mailbox recovery techniques, then here you will find the same. In this article, we will take you through three techniques using which you will be able to perform EDB recovery. You …
Exchange administrators are always vigilant about Exchange crashes and disasters that are possible any time. It is quite essential to identify the symptoms of a possible Exchange issue and be prepared with a proper recovery plan. There are multiple…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
Suggested Courses
Course of the Month9 days, 11 hours left to enroll

612 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question