Inability to Flow Security Descriptor Attribute into Exchange Using MAPI Management Agent (281229)
The information in this article applies to:
- Microsoft Metadirectory Services 2.1
- Microsoft Metadirectory Services 2.2
This article was previously published under Q281229 SYMPTOMS
When you use the Exchange MAPI management agent to flow the Assoc-NT-Account attribute from the metaverse into Microsoft Exchange 5.5, the expected corresponding changes do not occur in the Exchange NT-Security-Descriptor attribute. Because of this, the user that you specify in the Assoc-NT-Account attribute is locked out of their Exchange mailbox because the user's security descriptor does not match the one that is associated with the mailbox.
CAUSE
This behavior occurs because Exchange security is based solely on the NT-Security-Descriptor attribute and is not affected by the value that is stored in the NT-Assoc-Account attribute. The value of NT-Security-Descriptor is stored in binary form as a hexadecimal value. Although you can flow this attribute to and from Exchange, Metadirectory Services (MMS) lacks the ability to recalculate the value. Therefore, you must perform this necessary step within the Exchange Administrator tool.
MORE INFORMATION
There is no work around for this behavior. If you have to change the value of the Exchange NT-Security-Descriptor attribute for any reason, such as a Microsoft Windows NT account name change, or permission modifications, you must reset the value by using the Exchange Administrator tool. By design, MMS does not manage the value of the Exchange NT-Security-Descriptor attribute.
| Modification Type: | Minor | Last Reviewed: | 1/25/2006 |
|---|
| Keywords: | kbenv kbfix kbprb KB281229 |
|---|
|