Disabled user account generates SID error in exchange

Posted on 2006-03-20
Last Modified: 2008-01-09
Error Event ID: 1022 "The disabled Active Directory user account associated with the mailbox in question might not have the MSExchMasterAccountSID attribute populated. "

This is on a user's mailbox whose AD account I disabled.

I want to keep the mailbox for 1 month and then remove it.  How do I rectify this?  I know there is 1 SID you can use in exchange for disabled accounts, but i don't remember how to activate it.

Question by:victoriatech
    LVL 1

    Accepted Solution

    does this help
    When you move a mailbox from a Microsoft Exchange Server 5.5 computer to a Microsoft Exchange 2000 Server computer or to a Microsoft Exchange Server 2003 computer, you may receive the following error message:
    Error: Opening destination mailbox.
    CN=DDD R1,OU=Recipients,DC=dune,DC=com:
    The information store could not be opened.
    The MAPI provider failed.
    MAPI 1.0
    ID no: 8004011d-0289-00000000
    Additionally, the following event ID messages may be logged in the Application log:
    Event Type: Information
    Event Source: MSExchangeAdmin
    Event Category: Move Mailbox
    Event ID: 1006
    Date: 11/3/2000
    Time: 4:24:53 PM
    User: N/A
    Computer: ALIA
    Started to move mailbox 'DDD R1'.
    Source Database: /o=Microsoft/ou=AdminGroup/cn=Configuration/cn=Servers/cn=SERVER1/cn=Microsoft Private MDB
    Destination Database:
    /o=Microsoft/ou=AdminGroup/cn=Configuration/cn=Servers/cn=SERVER2/cn=Microsoft Private MDB
    Exchange DN: /o=Microsoft/ou=AdminGroup/cn=Recipients/cn=Alias
    Event Type: Warning
    Event Source: MSExchangeIS
    Event Category: General
    Event ID: 9548
    Date: 11/3/2000
    Time: 4:24:54 PM
    User: N/A
    Computer: ALIA
    Disabled user /o=Microsoft/ou=AdminGroup/cn=Recipients/cn=Alias does not have a master account SID. Please use Active Directory MMC to set an active account as this user's master account.
    Event Type: Error
    Event Source: MSExchangeIS Mailbox Store
    Event Category: Log ons
    Event ID: 1022
    Date: 11/3/2000
    Time: 4:24:55 PM
    User: N/A
    Computer: ALIA
    Log on Failure on database "First Storage Group\Private Information Store (ALIA)" - Windows 2000 account DOMAIN\administrator; mailbox /o=Microsoft/ou=AdminGroup/cn=Recipients/cn=ALIAS. Error: -2147221231
    The error message ID 0x8004011d references MAPI_E_FAILONEPROVIDER. Error event IDs 0x80040111 and -2147221231 correspond to MAPI_E_LOGON_FAILED.

    A similar sequence of errors may be displayed when you try to log on to an Exchange 2000 computer mailbox or an Exchange 2003 computer mailbox.
    This problem can occur if the disabled Active Directory directory service user account that is associated with the mailbox does not have an msExchMasterAccountSID attribute.
    The steps that are provided in this section are for disabling Active Directory user accounts that have Exchange 2000 mailboxes or Exchange 2003 mailboxes. If you follow these steps when you disable the account, event 9548 is not logged. If only a small number of mailboxes are exhibiting this problem, you can generate an msExchMasterAccountSID attribute. To do this, follow these steps: 1. In the Active Directory Users and Computers snap-in, on the View menu, click Advanced Features.  
    2. In the Exchange Advanced properties of the disabled user object that owns the mailbox, click Mailbox Rights, and then search the list of accounts for one that has the Associated External Account permission.
    3. If no account has this permission, grant the SELF account Associated External Account and Full Mailbox Access permissions.

    Note The SELF account is available in all Windows 2000 domains. All SELF accounts share a well-known security identifier (SID) that is the same across all domains. If the SELF account is not already listed in the Permissions dialog box, you can add it by typing SELF as the account name.

    Only one account at a time can have the Associated External Account permission. If this permission is currently owned by an account that is unwanted or that is not valid, you must remove the permission on that account before you apply the account to SELF.

    After you remove the Associated External Account permission from an account, exit all properties dialog boxes for the disabled user object. (To do this, click OK, not Cancel, at each level.) You must do this because changes to permissions are not applied immediately, but only after you have exited the object properties for the user. You will be blocked from changing the owner of the Associated External Account permission until you have closed and re-opened the properties of the object.  
    4. Reset the Associated External Account permission to SELF.
    You can use LDAP tools, such as the Active Directory Service Interfaces (ADSI) Edit snap-in, the LDP utility or Ldifde to view the attributes of the user object to verify that the msExchMasterAccountSID attribute has been created. Because of directory replication and Exchange Server cache refresh latencies, it can take up to two hours after you make the change before the mailbox can be moved.

    To set the msExchMasterAccountSID attribute for lots of disabled user accounts, you can use the Collaboration Data Objects for Exchange Management (CDOEXM) interface to modify the mailbox security descriptor. Starting with Microsoft Exchange 2000 Server Service Pack 2 (SP2), a new interface is made available in CDOEXM. This interface is named MailboxRights. This exposure lets you modify the mailbox security descriptor programmatically.

    For more information about how to script a bulk change of the msExchMasterAccountSid attribute, click the following article number to view the article in the Microsoft Knowledge Base:
    322890 ( How to associate an external account with an existing Exchange 2000 mailbox
    For additional methods that let you set the msExchMasterAccountSid attribute for lots of disabled user accounts, contact Microsoft Product Support Services. For more information about the support options that are available from Microsoft, visit the following Microsoft Web site:;EN-US;CNTACTMS (;en-us;cntactms)
    To determine how many disabled user accounts do not have the msExchMasterAccountSid attribute, you can generate an LDIF formatting export file. To do this, run the following Ldifde.exe command:
    ldifde -f file.txt -d "dc=domain,dc=com" -l nothing -r "(&(objectcategory=person)(objectclass=user)(msexchuseraccountcontrol=2)(!(msexchmasteraccountsid=*)))"
    The following list describes the Ldifde parameters: • -f: This switch indicates the export destination file.
    • -d: This switch indicates that the Microsoft Windows domain from which to export user objects. For example, if the Active Directory Users and Computers management console for the domain lists the domain as, it would become "dc=corp,dc=company,dc=com".
    • -l: This switch, if it is used, restricts output to the export file of only the attributes enumerated by the switch. In this case, the non-existent attribute nothing is used so that only object names, not attributes, are generated.
    • -r: This switch indicates the LDAP search filter by using the standard LDAP query syntax. You can also use this search string with Ldp.exe and other LDAP tools. In this case, the search is for all user objects that are disabled (msExchMasterAccountControl value of 2) and that do not have an msExchMasterAccountSID attribute.
    The following text is an example of the output file: dn: CN=AAA R1,OU=Recipients,DC=domain,DC=com
    changetype: add

    dn: CN=AAA R2,OU=Recipients,DC=domain,DC=com
    changetype: add

    . . . . .


    Author Comment

    Perfect!  That is exactly what i was looking for, the associated external account setting is the trick!

    Thanks kindly for your prompt reply to my query.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    In this era, as you know, cybercrime and other sorts of frauds using the internet has increased day by day. We should protect our information assets and confidential information from getting exploiting by the attacker or intruders. Most of the fraud…
    I didn’t use eM Client for long when I decided to swap to Outlook 2016. The reason for the switch is that it started asking for payment to continue some of its services after one month.   The problems I faced when I didn’t pay were:   I was not …
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now