Set Associated external account property through script

But of course :)

I did one the other day, let me dig it out again.

Chris

Fantastic,
I will test it out in my test lab today after making the necessary modifications.
does the csv file contain just two fields(ofcourse thats all it needs anyways) .
And the next thing is will the script also set the full mailbox access property as well?

Thank you so much.

Hey,

Yep, just those two fields.

And yes, it sets that. This is the bit that sets the Mask:

objACE.AccessMask = ADS_RIGHT_FULL_MB_ACCESS + _
      ADS_RIGHT_ASSOCIATED_EXTERNAL_ACCOUNT

And since Associated External isn't much good without mailbox access we have both :)

Chris

Fantastic Chris,
I will test that today in my lab and then assign you points.

Than you

No problem, yell if you have any problems with it. Did test it as much as I could here, the only problem I ran into was where the SID for the Associated External Account exists in both domains (if ADMT has been run and the SID is present in a SID history).

Chris

One more quick question, Do we have to disable the account on which we are setting these properties?
I am asking this question from two perspectives

1. If we disable the account, does it recieve emails?
2. What if we need to login as that account in the old (Exchange domain)?

Thankyou

No, you don't have to disable the source if you don't want to, sorry I forgot to note that was included.

Feel free to remove the call to the Subroutine DisableAccounts under Main Code (or remove that and the Subroutine that does it). It's intentionally modular so it'll happily survive without that step.

1. Yes provided that an Associated External Account is set
2. It won't let you :)

Chris

Perfect, I'd rather remove that module.

Thank you.

one more quick question, on the csv file, is there a header row or just the values through out( I am thinking it is the sAMAccountName that we are going to put in that field, correct me if I am wrong).

thank you

Hi Chris,
I am getting the fallowing error trying to run that script.

Line:182
Char: 4
Object doesn't support this property or method, objuser.Mailboxrights
Code: 800A01B6

Regards

Never mind, I ran it on the exchange server in the source and it worked smooth, no problems at all.,

Thank you Chris for helping me with this.

Excellent :) Should have mentioned that it must run run from a system with the Exchange System Tools installed.

Chris

Missed a bit:

> is there a header row or just the values through out

Just the values, I didn't write anything in to account for a header row.

Chris

Hi,
I have tried this script but I get the following error.
"The specified directory service attribute or value does not exist" Line 221

I have migrated the user accounts from one forest to another while leaving Exchange in the source forest. The users are migrated with SID history as some resources are remaining in the source forest for the time being. I was wondering if the error is due to the SID history and whether there is a way to get the script modified to allow it to work in this situation.

Thanks in advance

Will it let you manually assign the permission using the GUI? If it does, then yes, there's a chance we can fix it. If it doesn't we're a bit stuck.

Chris

I too need to be able to preserve SID history during a ADMT migration. and I need to associate to a  external account(the old email account on the old domain) I can do this via the GUI, does this script work with SID History?

MikeEdd

As above, if you can do it in the GUI the script can deal with it. If you cannot then it won't be able to help.

Chris

Thanks  - this helped me a ton.

It set the both things I needed.
Full mailbox Access
 Associated external account

Thank you,
Mark Leddy

Hi there,

This is the best thing i have discovered since starting on a MAJOR domain migration. Thanks :)

I am also running into the SID history issue (Yes ADMT was used to migrate users)

To answer the question about if its possible in the GUI... yes, i can do all the script tasks via GUI.

(I am an absolute scripting idiot - so this is just a dangerous errant though)
Since SID history is the issue here, are there perhaps some of the mailbox permissions that dont need to be set? - hence avoiding the error?

I still have almost 10k users to migrate in the next 2 weeks - so i would LOVE to get this working.

Regards
Jacqueline

PS. i did add one thing to the script.
I added a section to update the mailNickName in AD (with the 'strExternalUsername') - its probably only in my environment that this is required.

> Since SID history is the issue here, are there perhaps some of the mailbox permissions that dont need to be set?
> - hence avoiding the error?

Not really I'm afraid. Existing permissions will be bound to SELF rather than an explicit entry for the SID.

Chris

Hmm!!
When I created this question, I was using Quest migration tools for that perticular migraion. Later our company aquired another company(smaller one) and needed to merge that domain into ours and I used ADMT since our company didn't want spend the ransom on Quest, and the script still worked fine.

@ ASAdmin

You probably used ADMT, but didnt carry the SID history with... i WISH our company went with that idea... instead they went the FULL microsoft idea... with all its issues.

let me go play with this some more :)

It was written to work alongside a migration based on ADMT, it should be fine :)

Chris

I get the following error :
>>User-Mig.vbs(109, 3) (null): 0x80005000
line 109 in my scriptfile is: Set objUser = GetObject("LDAP://" & strDN)

But i only get this on accounts that were migrated with ADMT. my test accounts dont get this - they work fine.

Ok... fixed it.
Replaced the "diableuser" sub with different code... .works fine :)

(dont ask my why of all things that didnt work.... my coding skills are just not good enough)

Thanks a million... this makes my target of 10k users in the next 2 weeks possible :)

Good luck Jacqueline :)

Chris

I fixed it :)

Line 33: strExchangeUsername = LCase(arrLine(0))

Took out the  LCase statement... most my usernames have Caps in....

Now the script works (in its original form) accross the board.

i suppose i could have added another  LCase statement into line 82 If objUsers.Exists(strUsername) Then

the main thing, is that it now works on my domain.... (i didnt realise that my test accounts were all lowercase) until i stumbled onto the issue.

You can make objUsers case insensitive:


Set objUsers = CreateObject("Scripting.Dictionary")
objUsers.CompareMove = vbTextCompare


Otherwise LCase as you thought.

Chris

er should have been:


objUsers.CompareMode = vbTextCompare


Chris

ERm... now i am going to sound like an idiot....

where do i add that in???? (i think i fried my brain already today... no more thinking power left)

Immediately after this line (243 in the original):

Set objUsers = CreateObject("Scripting.Dictionary")

That creates the dictionary object, by default it does binary comparison, effectively case sensitive comparison. By changing CompareMode you can make it ignore case, so you end up with this in place of the original:

Set objUsers = CreateObject("Scripting.Dictionary")
objUsers.CompareMode = VbTextCompare

Chris

Thanks a million :)