18 Jan 2012
The “Link” Used by a Linked Mailbox
In a resource forest topology the Exchange servers and the Exchange recipients are located in a separate Active Directory (AD) forest called resource forest – forest B in Figure 1. The user accounts are located in the so-called account forest – forest A.
Figure 1: Resource Forest (Source Microsoft TechNet)
The resource forest trusts the account forest. The user account in the resource forest is disabled and only the mailbox of the disabled account is used. The AD account in the account forest is enabled. This is the account that you use to logon to your computer.
Let’s use PowerShell to investigate how the mailbox in a resource forest is linked to the user in the account forest.
In my test lab I have a mailbox in the resource forest with the alias “PennyM”. The account forest is called “Corp”.
Figure 2: Linked Mailbox Attributes
The Exchange Management Shell command in Figure 2 shows that this mailbox is linked to the account Corp\PennyM in the account forest. The following two Get-ADUser commands from the ActiveDirectory PowerShell module are used to show the link between the two objects. The disabled account in the resource forest has an attribute called msExchMasterAccountSid that stores the value of the objectSid attribute of the corresponding user in the account forest.
Figure 3: AD Permissions
Figure 3 shows that the user in the account forest was granted send-as rights and read property / write property rights on the personal information property set. These rights are granted when you create the linked mailbox.
Write access to the personal information property set enables the user in the account forest to modify for example the publicDelegates AD attribute of the disabled account in the resource forest. This AD attribute is modified when you execute the Delegate Access wizard in Outlook. It controls who can send mails on behalf of you.
Please refer to the TechNet article "Property Sets in Exchange 2007" for a description of the included attributes in the personal information property set.