Exchange 2010 external account setting compared to linked master account RRS feed

  • Question

  • Hello,

    Exchange 2010 mailbox

    what is the difference between the external access setting, for example when using the powershell command - get-mailboxpermission -identity <MBX1>

    domainA\user     - Full Access, External account

    domainB\user      - Full access

    for the same mailbox if I use the command

    get-mailbox -identity <MBX1> | fl

    this returns in one of the lines -

    LinkedMasterAccount - DomainB\user


    The query is the master account is set to a different trusted domain account to the external account. The mailbox was migrated from Exchange 2003 to Exchange 2010, should they be the same?

    Thnaks and Regards,


    Tuesday, March 13, 2012 2:04 PM

All replies

  • Linke Accounts are when a Mailbox exists in one domain but is linked with a user account from another domain.  Lets just say Domain B is the Exchange domain and Domain A is the remote domain.  When a Linked Mailbox is created, a disabled user account is created in Domain B (all mailboxes must have a local account), then a user in Domain A is given rights to the Linked Mailbox, it essentially gives permissions to a mailbox from an 'external' account.

    Now in your scenario, it seems that your new Exchange 2010 environment is in a different AD domain than your older 2003 Exchange environment, true?  If this is the case, that is why a linked mailbox was created when the mailbox was migrated.  If not, give some more details on the architecture and we can try to work through your question.


    Tuesday, March 13, 2012 5:32 PM
  • Hi

    Any update, did you follow what Russ said?

    It looks strange, Could you please tell us which domain is Exchange Domain, Which is Account Domain.

    You can try to create a new Linked mailbox on Exchange Domain, and see if it happens again


    Zi Feng

    Zi Feng

    TechNet Community Support

    Thursday, March 15, 2012 7:20 AM
  • Hello,

    Apologies for the delay. The mailbox is being moved from within the domain and the same organisation and also mailboxes are being moved from another organisation/domain.

    So for example where a mailbox exists in Exchange 2003 and is moved to Exchange 2010 in the same organisation and domain. When the mailbox is initially on Exchange 2003 it has it's AEA (associated external account) set to userA in another domain and a secondary userB is permission against the mailbox that has 'Full Mailbox access' but no AEA set (can only be set to one user). When this mailbox is moved to Exchange 2010, the mailbox becomes a Linked mailbox, with the linkedmasteraccount setting stays with the AEA account from Exchange 2003 (userA) but can see the external account as the secondary userB from the other external domain.

    Another test is to create a new Linked mailbox in Exchange 2010 and both the LinkedMasterAccount and the External setting is shown as the same external domain user.

    What is the difference between the LinkedMasteracount for a Exchange 2010 maibox and  the External account setting? We can use powershell commands for both to be the same user just concerned about what is the difference. 

    Thursday, March 15, 2012 9:56 AM
  • Elaborate on what you mean by 'Other external domain'?  The AEA should stay the same between Exchange 2003 and 2010, since the LinkedMasterAccount is the account in the Trusted domain that will actually use the mailbox (Same as AEA in 2003).  Now, is DomainB the same domain that Exchange is in, or is it another separate Trusted domain?
    Thursday, March 15, 2012 12:45 PM
  • Hello,

    Thanks for your reply. DomainB is another external domain, so not the Exchange domain and not the domain that UserA is in.

    Sorry to ask the original question, what is the difference between external account and LinkedMasterAccount? I ask because if at a later stage I wished to change the LinkedMasterAccount setting then should the externalaccount setting be changed also, please note changing one by powershell does not change the other, I need two separate Powershell command lines.

    Thursday, March 15, 2012 1:34 PM
  • The ExternalAccount permission, from what I can gather, is the permission that allows a specific user that is assigned that right, the ability to associate the mailbox in question to an external account (another domain or resource forest).  This right should not be necessary unless you have some sort of delegated user that is not part of the exchange admins that you want to do external account associations.  I would do some testing with this though, but with what I could find (which is minimal), I would surmise you dont need that permissions unless you have a special case.

    Thursday, March 15, 2012 2:10 PM
  • Thanks for your replay and comments Russ.

    Wondering if the External account is a legacy or Exchange 2003 setting, would be interested to hear of a explanation.


    Thursday, March 15, 2012 5:08 PM
  • Good luck with that, it seems to me that only an Exchange developer would be able to explain it since there is so little info on the net about it.  Also realize, ExternalAccount is a permission, it is not actually an account, hence, you have to set it with add/remove-mailboxpermission.
    Thursday, March 15, 2012 5:29 PM