Exchange Hotfix for 9548 Errors (KB903158) Causes MOM Mailflow Scripts to Fail

The problem... We recently applied a long-awaited hotfix for the much-hated MSExchangeIS Event ID:9548 - 'Disabled account does not have a master account SID'. As soon as we did, we started seeing the following error in the Operator Console, and mailflow scripts started failing: The script aborted its execution due to the following error: 0x80040705(-2147219707) Unexpected error code received from 'EMPMS.MailFlowSender', description: The Microsoft Exchange Server computer is not available. Either there are network problems or the Microsoft Exchange Server computer is down for maintenance. [Microsoft Exchange Server Information Store - [MAPI_E_FAILONEPROVIDER(8004011D)]] This event was generated by the script: "Exchange 2003 - Mail flow sender" Some background... This error stems from the fact that disabled Windows user account permissions are calculated by using the msExchMasterAccountSID attribute, rather than the objectSID or sidHistory attributes used for enabled accounts. The msExchMasterAccountSID will be empty on all disabled user objects not created by the Active Directory Connector for the most part, resulting in potentially hundreds of errors if users are disabled in your directory while the mailbox association is retained. The logging of this event ID can be fixed by granting the SELF account the Associated External Account right on the mailbox, as documented in KB278966. But why should you care? Because the Exchange Info Store will waste cycles trying to resolve the SID of this object on every ACL on which it appears, which can lead to performance degradation if encountered in sufficient numbers. The fix... There were some permission changes made by the hotfix, which in this situation, also lead to Blackberry problems. 'Send As' permissions previously granted to BES service accounts and the MOM Mailbox Access Account were removed. To resolve this issue, you simply need to give the MOM Mailbox Access Account "Send As" permission on all of the test mailboxes. Note that due to the DSAccess Cache and Mailbox Information Cache, your change may not be immediately recognized, but will take hold as those caches are refreshed. Restarting the Exchange Info Store to make the change take effect immediately, but obviously causes a service interruption. According to Chris Harris of MS, a update to the Exchange MP Configuration Wizard is underway to provide for correction of the problem. Until that is released, simply touch each disabled user with a MOM test mailbox and grant Send As rights on the Security tab in user account properties How to get the 9548 Hotfix... The hotfix was originally released in a version compiled against Exchange 2003 SP1 (but came well after SP2 was released). An SP2 version was made available in the last few days. It's a free call to MS PSS to get the hotfix. the SP1 version was originally published in KB903158.