<< Outlook Anywhere / RPC over HTTPS and multiple AD Sites | Reading, modifying and deleting attributes of Active Directory Objects with Powershell >>

Bulk modify linked mailboxes to user mailboxes in Exchange 2007

January 13, 2009 09:56 by hiho

I recently joined Microsoft as a Premier Field Engineer for Messaging. One of the top issue's i started seeing are mailboxes that are converted to linked or shared mailboxes after migration from Exchange 2003, whereas they should be plain user mailboxes.

While it's no problem to convert a shared mailbox to a user mailbox - Set-Mailbox UserMbx1 -Type Regular - you will have a hard time converting a large number of linked mailboxes to user mailboxes, as the official procedure calls for disconnecting and reconnecting (!) the mailbox.

Let's start and see why this happens and what we can do about it -

Back in the days of 5.5, every mailbox had to have a so called "Associated External Account" - or short "AEA". This was necessary because Exchange 5.5 had it's own directory service, and NT accounts had to be matched somehow. In Exchange 2000 / 2003 / 2007, the AEA account is mostly used for ressource forest deployments, where a disabled mailbox account needs to be matched with an enabled user account from a user forest.

The problem here is that most customers have always upgraded their enviroment since the earliest days - and therefore still have (obviously no longer existing) accounts carrying the AEA property in their mailbox rights ACL's - this probably looks something like below:

Exchange 2007 recognizes the AEA's (and the msExchMasterAccountSid) and configures this mailbox as a "linked mailbox" -

There are a few ways around the problem - 1) Fix it using official guidelines - you'll be off fine, as long as you don't have a large number of mbx to convert. 2) Fix the problem BEFORE migrating to E2K7 - your best bet. 3) Bulk fix the problem AFTER migrating to E2K7 - tricky, but can be done.

As you can read up 1) for yourself, i'am going to focus on 2) and 3) - automatically bulk-convert linked mailboxes to user mailboxes.

Fix the problem BEFORE migrating to E2K7:

So you got lucky and discovered the issue while testing with a few boxes? Good.

First make sure that you DO NOT need the AEA attribute anymore - if you 110 % positive that this is the fact, go ahead and grab a copy of NoMAS from MSDN Code Gallery - link here. You should run NoMAS on any domain joined workstation, using admin privileges.

NoMAS allows you to bulk remove the AEA property from your ACL's - that also clears the msExchMasterAccountSID. Do a check (select "enabled users" and "check") run first and review what accounts will be modified by checking the generated log-file. If you are confident that the output matches the user set you want to migrate, run NoMAS again, this time with the "fix" option.

Voila, all your AEA properties should be gone. Allow for domain replication, and try migrating one of the users - it should be a regular E2K7 user mailbox.

Bulk fix the problem AFTER migrating to E2K7:

Not so lucky, hm? Well there's hope - As already stated, the official (speak supported) way of converting is to diconnect and reconnect the mailbox. While this will work just fine for a few mailboxes, it's hardly feasable with hundres of boxes. So we need to "convince" Exchange to no longer handle this box as linked mailbox, but as a user mailbox - for this we need to do the following

Remove the AEA property (of course)
Clear the msExchMasterAccountSID
Change the msExchRecipientTypeDetails from "2" (for linked) to "1" (to user)

DISCLAIMER: Changing the msExchRecipientTypeDetails is in no way supported by Microsoft!! Do this solely at you own risk.

I have come up with a powershell script, which does exactly these steps. Let me walk you through it (see my comments in BOLD)

#Bulk convert linked mbx to user mbx (e2k7) using strictly ps.
#Written by Georg Hinterhofer

cls
#get a list of all linked mbx
$linkedmbx = Get-Mailbox | ? {$_.islinked -eq $true}

#loop through all mbx
foreach ($mbx in $linkedmbx)
{
#Grab ACL containing AEA property
$AclContainingAEA = $mbx | Get-MailboxPermission | ? {$_.accessrights -like "*ExternalAccount*"}
$AclContainingAEA.User

#Fix AEA in AD
Remove-MailboxPermission -Identity $mbx.DistinguishedName -User $AclContainingAEA.User -AccessRights ExternalAccount

#Fix MsExchRecipientType in AD so that Box is displayed as User and no longer as linked (change from 2 to 1)
$LDAPPath = "LDAP://" + $mbx.DistinguishedName
$ADUser = [ADSI]"$LDAPPath"
$ADUser.put("msExchRecipientTypeDetails",1)

#Fix msExchMasterAccountSID (clear in AD) so that "isLinked" and "linkeMasterAccount" gets cleared.
$ADUser.putex(1,"msExchMasterAccountSid",$null)

#Save information to AD
$ADUser.setinfo()
}

I have attached a copy of this script to the blog post. Feel free to edit it, add error handling, logging, whatever.

After running, allow for or force domain replication. You will find that the linked mailboxes have been successfully convertet user mailboxes.

Hope you find this useful,

Georg

convert_linked_to_user_mailboxes.ps1 (974.00 bytes)

Currently rated 4.3 by 7 people

Currently 4.285714/5 Stars.
1
2
3
4
5

Exchange 2003/Windows 2003 SMTP tar pitting So you ask: What is tar pitting? IMHO, tar pitting is a very suitable way to stop misus...Exchange 2000/2003: Changed Mailbox Limits are not enforced in an acceptable amount of time. I'am pretty sure you saw it before: User xy calls, his mailbox is over his size limit, but he ...Exchange 2003 and the PDC Emulator "In what way do Exchange and the PDC Emulator relate?" Well, before starting this ...