Security ID problem with provisioning mailbox in resource forest

Reading Time: 2 minutes

This will be another troubleshooting note, so probably one can notice that some of projects I work on have been delivered or are in the middle of deployment. Well .. this is called life. Something what works in lab not always work in the same perfect way in production environment.

(cc) Michael Bonnett Jr

Provisioning of users and mailboxes is a common scenario where ILM is being used. One of such scenarios is provisioning of accounts and mailboxes into resource forest. Pretty simple and standard task for average experienced ILM person.

Last solution I’ve deployed into production was exactly like this: two forests, one of them storing resource mailboxes. Provisioning code was simple – just call CreateMailbox method and specify logon account SID from account forest as one of its parameters. This should result in well known configuration where account from one forest is being assigned right to use this mailbox through setting msExchMasterAccountSid  attribute to specified SID.

Actually provisioning code as created by one of my friends from our MCS IdM Team and I was just deploying it because he was taking care about his newborn child (gratz once again).

Simple and easy, however initial export operation ended with export error:

This security id may not be assigned as the owner of this object

Permissions in resource forest were checked and we started to take a look at all possible explanations, when my colleague who was deploying Exchange in this organization checked if account which was configured for resource forest MA has a right to access account forest information.

And this was exactly the point. So if You will ever encounter such situation in your deployment double check this one.

I’ve found thread on TechNet Forum where somebody has hit the wall with the same issue in the same situation so I’ve decided to post here a short description, just in case it will help somebody in similar situation.