After an Exchange 5.5 to Exchange 2000 migration, why can I not assign permissions to any Organizati (NETIQKB7675)

  • 7707675
  • 02-Feb-2007
  • 16-Aug-2007


Exchange Migrator 1.x

Exchange Migrator 2.x

After an Exchange 5.5 to Exchange 2000 migration, why can I not assign permissions to any Organization mail objects like public folders, delegate permissions, etc?


The msExchangeMasterAccountSID attribute on the target Mailbox-Enabled Active Directory account has been updated with its own actual SID.  Exchange Migrator will do this if the option to Associate the existing account with the new Exchange mailbox option is selected on the Select Windows 2000 Account Merge Options page in the Specify Migration Options wizard, and your migration scenario involves your source Exchange 5.5 mailboxes having the target Active Directory Accounts as the primary NT accounts before the migration.

In an IntraOrg (Site-to-Site, same Org migration) this option is not available. This is enabled by default. To turn off this functionality, add this script to your PreMailbox script object and it will turn off the option to add the source account to the target mailbox.
varsetobject.put "wizard.settings.AssociateNewAccountsWithOld", "No"

To remedy the accounts already affected by this, delete the value (the SID) from the msExchangeMasterAccountSid attribute on the target mailbox-enabled Active Directory account.  Please see the following Microsoft KB article for instructions on how to do this: 

  • Q309222:  XADM: ADClean Sets "msExchMasterAccountSID" Attribute on Enabled Users.


This issue was resolved in EM 2.21 Hotfix027949 and is included in versions thereafter.  EM 2.21 Hotfix027949 can be downloaded at the following link:

Additional Information

Formerly known as NETIQKB7675