locked
removing the Unknown user Accounts in Mailbox rights RRS feed

  • Question

  • Halloo
    I have exchange 2007 server sp1 installed on win2k3 r2 sp1. through AD, there are unknown user accounts listed in the mail box rights list?
    How could I remove them ... they are inherited.. also.. I can see such account when I open the "Manage Full Access permission" in Exchange console.

    I can remove them from "Manage Full Access permission"… but they returned back.

    And from AD, I could not stop inherited permission.. It is not located there when I press advanced button.

    In security tab, in Ad and for user properties, I don’t see such unknown accounts, while the inheritance there is not active.

    Your help is highly appreciated

     

    Wednesday, February 3, 2010 10:38 AM

Answers

  • On Wed, 3-Feb-10 10:38:23 GMT, Qadous wrote:

    >
    >
    >HallooI have exchange 2007 server sp1 installed on win2k3 r2 sp1. through AD, there are unknown user accounts listed in the mail box rights list?How could I remove them ... they are inherited.. also.. I can see such account when I open the "Manage Full Access permission" in Exchange console.
    >
    >I can remove them from "Manage Full Access permission"? but they returned back.
    >
    >And from AD, I could not stop inherited permission.. It is not located there when I press advanced button.
    >
    >In security tab, in Ad and for user properties, I don?t see such unknown accounts, while the inheritance there is not active.

    Use ADSIEDIT to locate the object from which those SIDs are inherited
    and remove them from there.
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP

    --- Rich Matheisen MCSE+I, Exchange MVP
    • Proposed as answer by Allen Song Friday, February 5, 2010 8:27 AM
    • Marked as answer by Allen Song Friday, February 26, 2010 5:55 AM
    Thursday, February 4, 2010 3:30 AM

All replies

  • On Wed, 3-Feb-10 10:38:23 GMT, Qadous wrote:

    >
    >
    >HallooI have exchange 2007 server sp1 installed on win2k3 r2 sp1. through AD, there are unknown user accounts listed in the mail box rights list?How could I remove them ... they are inherited.. also.. I can see such account when I open the "Manage Full Access permission" in Exchange console.
    >
    >I can remove them from "Manage Full Access permission"? but they returned back.
    >
    >And from AD, I could not stop inherited permission.. It is not located there when I press advanced button.
    >
    >In security tab, in Ad and for user properties, I don?t see such unknown accounts, while the inheritance there is not active.

    Use ADSIEDIT to locate the object from which those SIDs are inherited
    and remove them from there.
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP

    --- Rich Matheisen MCSE+I, Exchange MVP
    • Proposed as answer by Allen Song Friday, February 5, 2010 8:27 AM
    • Marked as answer by Allen Song Friday, February 26, 2010 5:55 AM
    Thursday, February 4, 2010 3:30 AM
  • thank you Rich
    actually I remove all “account unknown” from the domain partition for all above parents and exchange organization ,but I still I see the unknown accounts in "manage full access permission" in Management consol

    Saturday, February 6, 2010 8:55 AM
  • On Sat, 6-Feb-10 08:55:46 GMT, Qadous wrote:

    >
    >
    >thank you Rich actually I remove all ?account unknown? from the domain partition for all above parents and exchange organization ,but I still I see the unknown accounts in "manage full access permission" in Management consol

    Are the ones that remain inherited? If so you've missed something.
    From the description you just gave I think you may not be looking in
    the right place, though.

    Use ADSI and connect to the Configuration naming context. Then
    navigate to:

    CN=<ORGNAME>,CN=Microsoft
    Exchange,CN=Services,CN=Configuration,DC=<DOMAIN>,DC=<TLD>
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP

    --- Rich Matheisen MCSE+I, Exchange MVP
    Saturday, February 6, 2010 5:52 PM
  • I'm so thankful Rich...
    really.. I removed most of the account unknown accounts but still there are few accounts.

    However, could you help me by telling the reason behind "account unknown".

    Is there any harmful in windows systems result from account unknown ... security? Performance? Errors?

    It will be better if you send me any Microsoft site links to explain more.

    Thank you Rich

    Sunday, February 7, 2010 5:54 AM
  • On Sun, 7-Feb-10 05:54:35 GMT, Qadous wrote:

    >I'm so thankful Rich...really.. I removed most of the account unknown accounts but still there are few accounts.However, could you help me by telling the reason behind "account unknown".

    It's pretty simple -- you deleted the account from the directory
    before you removed it from all the places it was used in ACLs. It's a
    pretty common occurance and one of the reasons why it's better to use
    security groups for granting/denying access to objects.

    >Is there any harmful in windows systems result from account unknown ... security?

    There's no security risk since those SIDs no longer exist in the AD.

    You may be questioned about your security practices during an audit,
    though.

    >Performance?

    Well, slightly. The size of the ACL can become larger than necessary,
    but under most situations I don't think you'd notice.

    >Errors?

    None.

    >It will be better if you send me any Microsoft site links to explain more.Thank you Rich

    I think you're probably capable of using any number of search engines
    to find those yourself.
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP

    --- Rich Matheisen MCSE+I, Exchange MVP
    Sunday, February 7, 2010 5:24 PM
  • thank you sir
    Monday, February 8, 2010 11:36 AM