• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2391
  • Last Modified:

Can't Open the Mailbox of a Recently Enabled User (Error: -2147221231)

I have a user in our exchange 2003 / wserver 2003 environment who was disabled for the past few days, but who has an exchange mailbox. Today, someone needed access to his mailbox. I thought that simply re-enabling the account, and telling the user to go to open --> other user's folder in Outlook would do it (the user has privaledges to do this), but instead they get the error "Unable to display the folder. The information store could not be opened"

On the exchange machine, 2 errors are logged in event log:

Event ID 1022, Logon Failure on database "First Storage Group\Mailbox Store (Name)" - Windows 2000 account ECOURIERUK\user; mailbox /o=XXX/ou=First Administrative Group/cn=Recipients/cn=user.
Error: -2147221231

and

Disabled user /o=Name/ou=First Administrative Group/cn=Recipients/cn=user does not have a master account SID. Please use Active Directory MMC to set an active account as this user's master account.

Now, I looked these up and tried the fix that was suggested which was to open the user's account in AD and go to exchange advanced and ensure the self account was the "associated external account". There was nothing with this priv, so I assigned it to SELF. Then, I even went to ESM and set RUS to rebuild. Granted I haven't waited toolong, but I still get the same error messages in the event log, and I still can't logon to this user's mailbox.

Help!
0
jbreg
Asked:
jbreg
  • 4
  • 2
  • 2
  • +2
1 Solution
 
viragCommented:
run mailbox cleanup agent and reconnec the mailbox
0
 
jbregAuthor Commented:
Now things are a little stranger. Without doing anything (just waiting) I can now log on to the user's mailbox from outlook web access.

But, when I try and go to open--> other user's folder in outlook it says "Unable to display the folder. The inbox coudl not be found"

Should I still run mailbox cleanup agent and recconect? Could you give a more step-by-step on this?
0
 
viragCommented:
yes trying running mailbox cleanup agent..see the results whether its giving a any errors i.e. red cross on the mail box or not..if yes just simply reconnect the mailbox with the user name.

0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
ikm7176Commented:
You have to follow one out of the 2 options  

1. Allow AEA, where you will not enable the account, or
2. Renable the account and grant the SELF account FMA

From the link:  http://msd2d.com/newsletter_tip.aspx?section=exchange&id=f610a3ac-b2e6-4917-8e60-e1ff2ff7d4a9


When you have a disabled user account, Exchange will look at the MEMAS (MsExchMasterAccountSid) property to see what user SID owns this mailbox. If no user account has been granted AEA, then MEMAS will be empty. So the solution is to grant SELF the AEA permission this time!

or

When you later on want to Enable Account, you must also remember to remove the AEA permission for the SELF object; otherwise Exchange will see two owners of this mailbox: the enabled account and the one with AEA permission.

Note: Any modification of permissions may take up to two hours before it gets activated. This is because you must wait for the DSAccess cache to be refreshed, which, by default, is done every two hours!

see the links below

http://www.experts-exchange.com/Networking/Email_Groupware/Exchange_Server/Q_21378453.html
http://www.experts-exchange.com/Networking/Email_Groupware/Exchange_Server/Q_21395002.html
0
 
jbregAuthor Commented:
Ok guys,

1. I have run the mailbox cleanup agent, no red cross or other errors. There is no option to reconnect (greyed out) as it seems to be properly connected.
2. When I try and open the mailbox from Outlook I still get an error "Unable to display the folder. The inbox folder could not be found"
3. I am able to acess the folder fine via OWA.

4. The account is enabled and SELF has priv of:
-read permissions
-full mailbox access
-associated external account

In sum, the problem is that despite following all the steps outlined, I can access the mbox from the web, but not by opening it in my Oultook. I have full mailbox access permissions to this user's mailbox.

What else could be wrong?
0
 
ikm7176Commented:
Exchange Full Administrators do not have the right to open any mailbox found on any server within the Exchange organization.

http://www.petri.co.il/grant_full_mailbox_rights_on_exchange_2000_2003.htm
http://www.petri.co.il/self_permission_on_exchange_mailboxes.htm

You enabled the account and associated external account to SELF account

You have to follow one out of the 2 options  

1. Allow AEA, where you will not enable the account, or
2. Renable the account and grant the SELF account FMA

Cheers !!
0
 
jbregAuthor Commented:
No, mate, you don't understand, I have explicitly already given myself full control over all mailboxes on that server. There should not be any problem. The problem does not appear to be with permissions but rather something else.

This is an interesting one, because I just realised that the problem is that I get the same error with ANY user's mailbox I try to open via outlook:

If, from outlook 2003, I go to open --> other user's folder, then select the user and inbox (or anything else for that matter) I get

"Unable to display the folder. The <foldername> folder could not be found" (ie the calendar, inbox, or whatever I try to open.

Any ideas?
0
 
VahikCommented:
u as an admin have full mailbox rights on the mailbox store PLUS allow send as and allow
recieve as permission and still cant open other users mailbox???? this is starnge...
why dont u run forstprep and domain prep again...and see if that would help u...
0
 
marc_nivensCommented:
This can happen if your account is missing the msExchMailboxSecurityDescriptor attribute.  Open ADSIEdit and find your account, open properties, and find this attribute.  If you see nothing in the box this is not it and you can ignore the rest of this.  But if you see <not set> then this is probably your issue.  The only way to repopulate this is with CDOEXM, your best bet is using a tool like ADModify (http://www.admodify.net) to set this.  On one of the Exchange tabs in the tool, there should be a check box called "set msExchMailboxSecurityDescriptor".
0
 
jbregAuthor Commented:
I eventually got it to work by creating an AD group, giving that group full access to the exchange store, and making myself a member. I suspect the reason it did not work before that is because I was a member of groups (exchange admins and domain admins) which are explicitly barred from having read access to mailboxes.

http://support.microsoft.com/?kbid=262054

Worked for me...

However I'll award points for the help and pointing me in the right direction.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 4
  • 2
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now