Active Directory accounts are unable to login

Posted on 2006-05-03
Last Modified: 2008-05-30
We have 200 + PC running in a workgroup that has the same name as my AD domain.   None of the machines are members of the domain.    They users login to Novell 6.0 and get all the poilicies from Novell.   They need access to our exchange 2k box for their email and another application.  Most of the users have no trouble with this setup, although, a select few have been locked out of their AD account (not able to access email etc. )  We dont see anything in the event log on the domain control besides:

"Disabled user / Administrative Group/cn=Recipients/cn=username does not have a master account SID. Please use Active Directory MMC to set an active account as this user's master account."

But so far the users with that message have not encountered the issue.

Our work around has been to reset the user's password on the DC will fix the issue.  Users do not have access to reset their own passwords.
Question by:gmacmaster
    LVL 4

    Expert Comment

    It sounds like you have accounts that have been removed from AD prior to their mailbox being removed from Exchange.  You should remove the exchange features/mailbox first than delete accounts for users.

    LVL 1

    Author Comment

    The error message I posted was the only warning or error in the event log,  I am not sure if it is related.    

    I have requested the my helpdesk folks keep a running list of the users having this issue to see if their username appears in the log.  

    Note:  all the users have the check box for passwords never expiring.
    LVL 4

    Accepted Solution

    The error that you are encountering happens when a user is deleted from Active Directory and their mailbox is not removed from Exchange at the same time.  If you look at the user names, you should archive that users Exchange data, completely remove them from AD and Exchange, then make a new account for them and a new mailbox and do the restore.  What the error refers to is the association between the location of the Exchange accounts and their relative AD (SID) accounts.  When one is deleted without the other, the chain is broken so to speak.  


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
    I use more than 1 computer in my office for various reasons. Multiple keyboards and mice take up more than just extra space, they make working a little more complicated. Using one mouse and keyboard for all of my computers makes life easier. This co…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now