Associated External Account for an Exchange Server 2003 Mailbox and Issues Accessing Other Mailbox Folders and Public Folders
2010-10-20 Initial Post
Exchange Server 2003 SP2, Windows Server 2003 SP2 AD
I ran into an issue at work the other day which was new to me and I didn’t really find any good documentation either on the Internet or at work, so I did some testing and wrote up a procedure to get around the issue. The issue has to do with the Associated External Account feature. Basically, that feature is used to grant permission to a mailbox in a cross-forest account/resource forest setup. If both of a user's accounts in the account and resource forest are enabled (not MS recommended), he will not be able to access other users' Outlook folders or Outlook public folders unless a special procedure is followed.
I'm going to give an account of my testing scenario and will not be going into a lot of background details, so refer to the articles on MSExchange.org and MS TechNet for background info on the Associated External Account feature. The issue can be really confusing, so I don't expect anyone to follow it easily, but if you're reading this, then that means you might have run into the same issue and will understand what I'm describing.
I’ve changed the names below for obvious reasons. Current setup is ACCOUNT-AD which is the domain/forest that contains user accounts and EXCHANGE-AD which is the domain/forest that contains the Exchange org. There’s a need for separate forests because the business is in a highly regulated industry and must maintain separation at certain levels.
Users ASmith and BJones have active/enabled accounts in ACCOUNT-AD and also related resource accounts in EXCHANGE-AD. The resource accounts are necessary since they're for the user's Exchange mailboxes. The Associated External Account entry for both mailboxes is linked back to their respective accounts in ACCOUNT-AD. Per MS, the resource account is supposed to be disabled, and if it’s not, it “can cause odd behavior such as lost permission settings.”
For business purposes, EXCHANGE-AD\BJones (the resource account for the mailbox) is not disabled because he needs to use that account to log on to some applications in EXCHANGE-AD. Because of the industry regulations, he must access the application this way (this is not a technical decision).
I only have one account and mailbox, both in EXCHANGE-AD, so I used my mailbox for testing. Here’s what I did:
- Gave ASmith and BJones reviewer permission to my Calendar and Contacts.
- After 30 minutes of disabling BJone’s EXCHANGE-AD account, how do the ACEs on those folders look?
- >> ASmith’s entry still shows his display name of Smith, Adam. BJone’s entry turned to NT USER:EXCHANGE-AD\BJONES.
- >> Why? Because EXCHANGE-AD\BJones is disabled, so Exchange can't resolve to the mailbox display name since that mailbox has an Associated External Account entry.
- Give ASmith and BJones reviewer permission to Tasks. How do the ACEs on this folder look?
- >> It shows both users display names--Smith, Adams and Jones, Bob.
- >> Why? Because the ACCOUNT-AD accounts are both used in the ACE and they’re the associated external account of their respective mailbox accounts in EXCHANGE-AD, so the display name of their respective mailboxes are used.
- After 30 minutes of enabling EXCHANGE-AD\BJones, how do the ACEs on the folders look?
- >> In Calendar and Contacts, BJone’s ACE is back to the display name of the mailbox--Jones, Bob.
- >> In Tasks, BJone’s ACE is now shown as NT USER:ACCOUNT-AD\BJONES.
- >> Why? Because now that the EXCHANGE-AD account is enabled, the ACE will use the EXCHANGE-AD account from now on, and would resolve new ACEs to the resource mailbox display name. The existing ACE for BJones points to NT USER:ACCOUNT-AD\BJONES. And the ACCOUNT-AD\BJones account will still have permission to the folder.
So below is the procedure that I ended up with after my testing. Because of AD replication latency, I wait 30 minutes after some changes.
Granting permission to mailbox folders and public folders for an ACCOUNT-AD user who has a EXCHANGE-AD account that is NOT disabled and uses the ACCOUNT-AD account to log on to the network and Outlook.
- Remove the user's permissions from the folder.
- Disable the EXCHANGE-AD account and wait 30 minutes.
- Grant the user permission to the folder and wait 30 minutes.
- Re-enable the EXCHANGE-AD account and wait 30 minutes.
- Verify the folder permissions by checking its ACL. The ACE for the user should have NT USER:ACCOUNT-AD\XXXXXXX shown instead of the mailbox display name.
- User should restart Outlook or log off and back on to computer.
Since the user logs on to the network and Outlook with ACCOUNT-AD\XXXXXXX, he will be able to access the folder now.