02 May, 2014

Deleting & Recreating an Active Directory User Account and an Exchange 2010 Mailbox


One of our users was having bizarre problems with her account. We tried to troubleshoot to find out what was causing the real issue but nothing was clear. Before I even tell you what the reason was, let me tell you first what the symptoms were.

First user reports that she has a warning when she logs onto her computer.  I confirmed that she was getting a Windows 7 balloon warning “Windows cannot locate the server copy of your roaming profile”.

When you browse Event Viewer, Windows Logs\Application, you should see another error with the error ID 1521 with a description “Windows cannot locate the server copy of your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you log off. This error may be caused by network problems or insufficient security rights.”

Just these 2 symptoms were indicating a Roaming Profile issue, which makes sense because the user is part of an OU, which roaming profiles are enabled. But among 50+ users, this particular user was the only one who had this issue. To try another scenario, we logged into another computer with the same user account, guess what? Same issue occurs on another computer. So technically, I started to think that this might be an NTFS security problem but I didn’t feel like going through all of the folders/files in users profile and see the NTFS security settings of each folder and file. Instead, I took the shortcut. Backup everything in user profile and delete the user account and recreate it. What a smooth plan J

Interesting part starts here, when our IT Technician was backing up the user profile, he realized that some of the files and folders wouldn’t copy! That smell of corrupted NTFS security was getting even more intense now. We found out that at the root of a folder, some pdf files had only “Administrators” account in the NTFS security permissions. That was enough to screw up the roaming profile of the user.

Whatever the real cause is, this behaviour was not normal and it was probably a signal for other bizarre issues that the user might have in the future. So, stick to the plan and let’s create a fresh user account.

Once the user account has been quickly deleted (From Active Directory) and automatically the mailbox has been removed from our Exchange 2010 server too. I created the new account right away and I had recreated the users account with exact same username and email address…


The user logs back in with the new user account and no warning or any NTFS issues. Everything is smooth. We even configured her outlook and she started to send / receive emails. No problem… Until when someone tries to send an email to this user! The sender selects the users contact from the Outlook “Auto-Complete List”.  I think the auto-complete list was using the old entries for the user because the sender would receive a non-delivery report from Exchange as soon as the message is sent.

Ex:

Delivery has failed to these recipients or distribution lists:

Users Name
The recipient’s e-mail address was not found in the recipient’s e-mail system. Microsoft Exchange will not try to redeliver this message for you. Please check the e-mail address and try resending this message, or provide the following diagnostic text to your system administrator.

After reading about others who had the same problem and try to understand what we screwed up during the process of recreating a user account, I found the articles below. Basically “This behavior is caused because every internal message send/received in the orgn, will have the recipient info resolvable normally to the LegacyExchangeDN attribute. In this case, the user mailbox would have been recreated or the old LegacyExchangeDN value would have been changed to a different one.”

So we had to add a new X500 address to the user mailbox from the Exchange Management Console. But first, let’s gather the real value of the LegacyExchangeDN with the help of ADSI Edit tool.

  1. Run “adsiedit.msc”
  2. Find the user account in your organization hieararchy under Default Naming Context
  3. Right click on the user object and click on properties. This will bring the CN=User Name Properties window.
  4. Under the “Attribute Editor” tab, scroll down to “LegacyExchangeDN” value and click on “Edit”. Copy that value because we will need it when we create the X500 address for the user.
  5. Now close all ADSI windows without doing any changes and let’s go to Exchange Management Console.
  6. Find the users mailbox in your exchange environment, right click on the users mailbox and choose “Properties”. Under the “E-Mail Addresses” tab, add a custom address.

    E-mail address:  LegacyExchangeDN value that we copied earlier.
    E-mail type : X500
Ideally, you would need to wait that all your clients updates with the new entries, but if you need to force some clients to update with the new value. Create a new message and type the first letters of the user name, when you see the contact listed in the auto-complete list, click on the “x” icon to delete the entry. Go to Outlook, under “Send / Receive” tab, click on “Send/Receive Groups” and click on “Download Address Book” to download the newest global catalog. Now you can manually type in the users email address and the email should go just fine.

What an adventure! J  If you are in this page, it’s because you ran into the same issue as me. So I highly recommend you to see the following links for help. Cheers...

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.