Open User's Mailbox after Disabling Account in AD

We had an employee leave the company so we disabled the account and the computer in AD. Although I have full permissions to all mailboxes, when I tried to add the employees mailbox to outlook, it let me. But then when I tried to expand the mailbox in Outlook it tells me "The set of folders could not be opened".

I thought this had to do with the account being disabled, so I re-enabled both accounts (the computer and the user) in AD. The same thing happens. Why can't I open this users mailbox?
LVL 20
DVation191Asked:
Who is Participating?
 
ikm7176Sr. IT ManagerCommented:
from the link i posted, read this part closely

Note, that the Full mailbox access (FMA) and the Read permissions is both set to Allow, but nothing else. This is the default settings for SELF. As you can see in the top of the dialog box, this mailbox is connected to the user Göran Husman – So SELF in this case is the user account Göran Husman. That is why SELF needs the FMA! If you remove the SELF object, the user cannot access his mailbox any longer – Fix this by adding the self object manually.

Note: Any modification of permissions may take up to two hours before it gets activated. This is because you must wait for the DSAccess cache to be refreshed, which, by default, is done every two hours!


The problem is that you have a disabled user account, which in turn tells Exchange that there is no primary owner of this mailbox.
This will end up with problems for that mailbox getting any new mail messages; they will all be returned to the sender with a non-delivery report (NDR).

This problem is similar to the example we discussed above (Adams mailbox): When you have a disabled user account, Exchange will look at the MEMAS property to see what user SID owns this mailbox. If no user account has been granted AEA, then MEMAS will be empty. So the solution is to grant SELF the AEA permission this time!

This applies to you

When you later on want to Enable Account, you must also remember to remove the AEA permission for the SELF object; otherwise Exchange will see two owners of this mailbox: the enabled account and the one with AEA permission.

Note: You may think that the ADUC should be smart enough to grant and remove the AEA permission automatically, but it doesn’t! You must do this manually!

So what do you do if you find lots of 9548 events? One way is to manually grant AEA permissions (for disabled accounts), or remove the AEApermissions (for enabled accounts). But if they are too many, you will be happy to know that Alex Seigler, MS PSS, has written a utility that does the search and fix of those things for you. This tool is called NOMAS (No Master Account SID), and will very soon be publicly available on this URL address: ftp://ftp.microsoft.com/PSS/Tools/Exchange%20Support%20Tools/.
0
 
ikm7176Sr. IT ManagerCommented:
0
 
DVation191Author Commented:
I read through it...and it makes sense. But my account is in the permissions as having full access. And before disabling the account I was able to open the mailbox no problem. I still don't know what is wrong. What is in that article you think I should be trying?
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
Jamie McKillopIT ManagerCommented:
Open the Properties page of the user in AD users and computers. Go to the Exchange Advanced tab. From the list of "group or user names:" select SELF. Click "Allow" beside "Associated external account".

You may need to wait some time before this change takes effect then you should be able to open the mailbox.

JJ
0
 
DVation191Author Commented:
> "From the list of "group or user names:" select SELF. Click "Allow" beside "Associated external account". "
I checked off "allow" and waited ten minutes then tried to reconnect to the mailbox and got the same error.

> " Fix this by adding the self object manually. "
The SELF object is indeed there.

> "Note: Any modification of permissions may take up to two hours before it gets activated. This is because you must wait for the DSAccess cache to be refreshed, which, by default, is done every two hours!"
This is only only DC on which exchange runs but I'll wait the two hours just to be sure.

> "The problem is that you have a disabled user account, which in turn tells Exchange that there is no primary owner of this mailbox."
Ok I understand...I re-enabled the account and made the modifcation to SELF permissions, now I'll wait two hours to try again.

> "When you later on want to Enable Account, you must also remember to remove the AEA permission for the SELF object; otherwise Exchange will see two owners of this mailbox: the enabled account and the one with AEA permission. Note: You may think that the ADUC should be smart enough to grant and remove the AEA permission automatically, but it doesn’t! You must do this manually!"
Oh crap...ok so if AEA has allow permissions, the account needs to be disabled...if the account is enabled, AEA has to be removed from the permissions???





0
 
ikm7176Sr. IT ManagerCommented:
You have to follow one of the 2 options  

1. Allow AEA, where you will not enable the account, or
2. Renable the account and grant the SELF account FMA

Read the article carefully again, you r getting confused. :)

Cheers !
0
 
DVation191Author Commented:
Ah, finally it worked! Sorry for the confusion...just glad I got it worked out...thanks guys.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.