Resolution
goal
Why is the attribute 'msExchMasterAccountSid' used in a migration?
fact
Exchange Migrator 2.x
fix
The reason that this is populated is because the checkbox to 'Associate the existing account with the new Exchange mailbox' was checked. This checkbox will tell Exchange Migrator (EM) to add the source mailbox user as an 'Associated external account' to the new target mailbox. When an account is given the 'Associated external account' permission the 'msExchMasterAccountSid' property on the target mailbox is populated with the sid of the source mailbox user (or the account that was added as 'Associated external account'). This is a function of Windows 2000. To test this, you could add an external account to the mailbox and verify that this attribute gets populated. To ensure this does not happen during a migration with Exchange Migrator, deselect the checkbox for 'Associate the existing account with the new Exchange mailbox'. This checkbox is typically used only if the user will still be logging in with his source domain account and using his target mailbox. In this scenario, the target user account should be disabled.
The RUS does not set 'msExchMasterAccountSid'. This attribute is populated by either the Active Directory Connector (ADC), Exchange Migrator, or when an administrator grants a user the 'Associated External Account' authority in the Mailbox Rights of a user. This article mentions the 'msExchMasterAccountSid' attribute because of its relationship to other attributes that the RUS populates.
If the user account is a disabled user, and hence msExchUserAccountControl is set to 2, the msExchMasterAccountSid attribute must be populated. If msExchUserAccountControl is set to 0, the msExchMasterAccountSid value must not be populated. This attribute has two possible categories of values, depending on how the mailbox associated with this user will be used.
If the mailbox is a resource mailbox, 'msExchMasterAccountSid' should contain the well-known Microsoft Windows 2000 SID, "Self," also called "Principal Self." This can also be viewed in the Mailbox Rights of the 'Exchange Advanced' tab of the mailbox in Active Directory Users and Computers, by looking at the name of the account which is granted the 'Associated external account' permission.
Why is the attribute 'msExchMasterAccountSid' used in a migration?
fact
Exchange Migrator 2.x
fix
The reason that this is populated is because the checkbox to 'Associate the existing account with the new Exchange mailbox' was checked. This checkbox will tell Exchange Migrator (EM) to add the source mailbox user as an 'Associated external account' to the new target mailbox. When an account is given the 'Associated external account' permission the 'msExchMasterAccountSid' property on the target mailbox is populated with the sid of the source mailbox user (or the account that was added as 'Associated external account'). This is a function of Windows 2000. To test this, you could add an external account to the mailbox and verify that this attribute gets populated. To ensure this does not happen during a migration with Exchange Migrator, deselect the checkbox for 'Associate the existing account with the new Exchange mailbox'. This checkbox is typically used only if the user will still be logging in with his source domain account and using his target mailbox. In this scenario, the target user account should be disabled.
The RUS does not set 'msExchMasterAccountSid'. This attribute is populated by either the Active Directory Connector (ADC), Exchange Migrator, or when an administrator grants a user the 'Associated External Account' authority in the Mailbox Rights of a user. This article mentions the 'msExchMasterAccountSid' attribute because of its relationship to other attributes that the RUS populates.
If the user account is a disabled user, and hence msExchUserAccountControl is set to 2, the msExchMasterAccountSid attribute must be populated. If msExchUserAccountControl is set to 0, the msExchMasterAccountSid value must not be populated. This attribute has two possible categories of values, depending on how the mailbox associated with this user will be used.
If the mailbox is a resource mailbox, 'msExchMasterAccountSid' should contain the well-known Microsoft Windows 2000 SID, "Self," also called "Principal Self." This can also be viewed in the Mailbox Rights of the 'Exchange Advanced' tab of the mailbox in Active Directory Users and Computers, by looking at the name of the account which is granted the 'Associated external account' permission.
Additional Information
Formerly known as NETIQKB3217