This security ID may not be assigned as the owner of this object

The scenario: provisioning linked mailboxes in an Exchange resource forest (with the FIM Synchronization Service, Identity Lifecycle Manager, or Identity Integration Server).

The error: “This security ID may not be assigned as the owner of this object.”

The problem: It would appear that the issue is writing the msExchMasterAccountSid attribute however in reality it is as a result of the ExchangeUtils.CreateMailbox method actually updating the msExchMailboxSecurityDescriptor and nTSecurityDescriptor attributes.

The resolution: grant the management agent (MA) account performing the creation SeRestorePrivilege (Restore files and directories) on the domain controllers.

More information

Modifying msExchMailboxSecurityDescriptor and nTSecurityDescriptor is evidently a security sensitive operation, and the underlying API requires SeRestorePrivilege –Restore files and directories in the GPEDIT.MSC tool. The account running the AD MA that creates the mailbox requires SeRestorePrivilege (Restore files and directories) on Domain Controllers.  The reason the privilege is required on domain controllers and not the member servers hosting the mailbox databases is because the ACLs that are being written are against the AD user object.

ExchangeUtils::CreateMailbox(ConnectedMA, ReferenceValue, String, String, Byte[]) and ExchangeUtils::CreateMailbox(ConnectedMA, ReferenceValue, String, String, long, long, long, Byte[], Boolean) actually updates the following attributes in addition to those you define against the connector (CSEntry) object:

  • msExchMailboxSecurityDescriptor
  • nTSecurityDescriptor

You will likely be setting the following values:

  • mailNickname
  • homeMDB
  • mDBUseDefaults (or mDBOverHardQuotaLimit, mDBOverQuotaLimit and mDBStorageQuota)
  • msExchMasterAccountSid

In addition to the usual distinguishedName, sAMAccountName, userPrincipalName, etc.

Either method needs to update the nTSecurityDescriptor such that the actual user (in the trusted domain) has access to the mailbox.  Replacing this value during export requires SeRestorePrivilege.


About Paul Williams

IT consultant working for Microsoft specialising in Identity Management and Directory Services.
This entry was posted in FIM, FIM 2010, Troubleshooting and tagged , , , , , , , , , . Bookmark the permalink.

1 Response to This security ID may not be assigned as the owner of this object

  1. Pingback: exported-change-not-reimported error when provisioning a linked mailbox | Yet another identity management blog

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s