To allow single sign-in when a disabled user account is enabled for an Exchange Server mailbox, use the SID Mapping Tool to map the SID (security identifier) of a disabled user account in the resource forest to the corresponding primary user account in the user forest. The SID Mapping Tool is delivered as part of the Microsoft Office Communications Server 2007 R2 Resource Kit.
To map the SID of a disabled user account
-
Log on to a server joined to an Active Directory domain in the resource forest using an account that is a member of the DomainAdmins group.
-
If necessary, install the Microsoft Office Communications Server 2007 R2 Resource Kit. You can download the resource kit from the same Web site you used to download Office Communications Server 2007 R2. For more information, see Microsoft Office Communications Server 2007 R2 Resource Kit Readme.
-
At the command prompt, run the following command to configure the Microsoft Windows operating system Scripting Host to use cscript:
wscript //h:cscript
-
In the confirmation box, click OK.
-
Change the path of the command prompt by running the following command:
cd %programfiles%\Office Communications Server 2007\Reskit\LCSSync
-
Review the resource forest accounts that will be updated by running the following command:
sidmap.wsf /OU:< DN of container with disabled user accounts>/query
where:
-
/OUspecifies the distinguished name (DN) of the container
with the disable user accounts.
To represent the DN, use the following format:
OU= <name>,DC= <domain name>,DC= <subdomain name>
For example, OU=Accounting,DC=contoso,DC=com
-
/querylimits the SID Mapping Tool to only query the resource
forest and not populate the attributes.
The command returns a list of disabled user accounts in the resource forest.
-
/OUspecifies the distinguished name (DN) of the container
with the disable user accounts.
-
Populate the attributes in the resource forest by running the following command:
sidmap.wsf /OU:< DN of container with disabled user accounts>[/logfile :<path\filename>]
Where /logfileis an optional parameter that saves the results of your operation to a file for your records. This log file is automatically populated with a list of logon-disabled and Office Communications Server-enabled users.