Sign in
 
HomeLibraryWikiLearnGalleryDownloadsSupportForumsBlogs
Resources for IT Professionals >
How to prevent FIM, to delete mail boxes on Exchange 2010.

Discussion How to prevent FIM, to delete mail boxes on Exchange 2010.

  • Monday, April 16, 2012 9:24 PM
     
     
    Sign In to Vote
    0

    Good afternoon.

    I ask forgiveness for grammar.

    Question is: how to forbid the FIM Active Directory agent to delete mail boxes of the removed AD user account?

    I already read forum branches like Disabling/deleting exchange mailbox using FIM 2010 

    But unfortunately I’m still able to delete mail box, without using PowerShell.

    In settings of the FIM Active Directory agent option “deprovisioning options” is set to “stage a delete on the object for the next export run ”.

    For check I used the following sequence of actions:

    1. I Create the new user in external system (HR Data).
    2. I Import the new user on a FIM portal.
    3. I Export the new user to AD and I check results:
      1. In Active Directory – there is a new account of the user.
      2. In Exchange 2010 there was a new mail box for the created user.
    4. I delete the user from external system (HR Data).
    5. I import changes on FIM portal.
    6. I export changes in Active Directory. I check result:
      1. In ActiveDirectory, the user is deleted;
      2. In Exchange consoles, a mail box is removed too. In spite of the fact that, mail box without AD user account should be moved to «Disconnected Mailbox». But it there isn't present L. The mail box is completely removed from Exchange.

    Tried to solve a problem, by restriction of the rights of the FIM Active Directory agent account on Exchange.

    Provided to ADATUM\FIM account, rights to account creation, rights to change mailbox parameters but forbade removal. Checked in the Exchange console, the account of ADATUM\FIM can't remove a mail box. I change a configuration of the agent of FIM Active Directory, by set up "ADATUM\FIM" account in parameters of the FIM Active Directory agent. Executed sequence of actions described above. Same result. The account of the user is removed and the mail box is removed.

    Checked 3 times, result identical.

    2 times in virtual laboratory works of http://technet.microsoft.com/en-us/ff793470 (Lab 7 - there already is an adjusted environment, with the FIM AD agent  & Exchange 2010). 1 time in the own laboratory environment.

    Whether there is a description of interaction FIM and Exchange, when removal of AD user is performed?

    Why I can remove a mail box? How it is possible to forbid removal of a mail box?

    Sequence of actions, to restrict rights of the account on Exchange:

    1. I create new group “ADATUM\RecipentManangement-FIM
    2. I create the account “ADATUM\FIM
    3. I add the account “ADATUM\FIM” in group “ADATUM\RecipentManangement-FIM ”.
    4. For the account “ADATUM\FIM” set Full Control on OU=Adatum.
    5. For group “ADATUM\RecipentManangement-FIM”, forbade removal of mail boxes. In the Exchange 2010 Powershell console executed:
    6. New-managementrole FIM -Parent "Mail Recipients"
    7. New-ManagementRoleAssignment -Role FIM -SecurityGroup RecipentManangement-FIM
    8. Get-ManagementRoleEntry FIM\Disable-Mailbox |Remove-ManagementRoleEntry
    9. For the agent of FIM Active Directory set the account “ADATUM\FIM
    10. Checked process account creation.
    11. Checked process of removal of the account.
    12. Checked removal of a mail box. For updating of the Disconnected Mailbox list used:
    13. Get-MailboxDatabase
    14. Clean-MailboxDatabase "Mailbox Database 0455042759"

    -------------------------------------------------------------------------------------------------------------------------------

    Best regard, Taras Galaka

    Implementation Engineer

     

All Replies

  • Monday, April 16, 2012 11:57 PM
    Moderator
     
     
    Sign In to Vote
    0

    Taras-

    FIM never calls Disable-Mailbox natively. The only way this is happening is if you have custom code doing it.

    Once the user is deleted, Exchange will detect this during the background cleanup on the mailbox and mark the mailbox as disconnected. The mailbox will be physically deleted from the database according to whatever policy is defined in the properties of that database.

    My Book - Active Directory, 4th Edition
    My Blog - www.briandesmond.com

     
  • Tuesday, April 17, 2012 10:52 AM
     
     
    Sign In to Vote
    0

    Hello Brian.

    Thanks for the reply.I expected this behavior in FIM Sync Service. But first, I decided to check in the virtual lab. I have not used a special code to call the Disable-Mailbox. (I Used preconfigured virtual lab). However the mailbox was deleted rather than go to a disconnected mailbox.

    Can you tell me what from the FIM agent settings can cause this behavior?

    Or what in the settings, I have to disable to prevent mailbox delete?

    Or suggest where to find information on how to configure a mailbox so that it is not removed. This reference will suffice?

    http://fabienduchene.blogspot.com/2010/02/fim-2010-exchange-2010-provisioning.html

    Thank you.

    ---------------------------------------------------------------------

    FIM Syncronization Service Settings.

    FIM Syncronization Service - Virtual Lab Settings

    FIM agent settings

    FIM agent - Virtual Lab settings

    from virtual lab manual:

    Click Select, and verify that the DLL called Adatum ADExtension.DLL is selected.

    Note: The detail of this DLL is beyond the scope of this course, but the code is reproduced at the end of this lab for those who are interested

    I have not been able to find the code for this library

    Taras Galaka

     
  • Wednesday, April 18, 2012 6:15 PM
     
     
    Sign In to Vote
    0

    As Brian indicated, the mailbox is removed by whatever policy applies for mailboxes in the Exchange database.  It is not done by the service account FIM is using to delete the user in AD but rather by Exchange itself, so there is no way to block that with permissions on the account.

    Try increasing the number of days that a mailbox is retained.  Also, after doing some searching on this topic, I've gotten the impression you may need to run the mailbox cleanup agent in order for the mailbox to appear in the disconnected state.

    Chris

     
  • Wednesday, April 18, 2012 6:17 PM
    Moderator
     
     
    Sign In to Vote
    0
    As Chris indicated, mailboxes won't show up as disconnected until the background cleanup on the database completes succesfully.

    My Book - Active Directory, 4th Edition
    My Blog - www.briandesmond.com

     
  • Thursday, April 19, 2012 7:57 AM
     
     
    Sign In to Vote
    0
    As Chris indicated, mailboxes won't show up as disconnected until the background cleanup on the database completes succesfully.

    My Book - Active Directory, 4th Edition
    My Blog - www.briandesmond.com


    Hello Bryan.

    Thanks for the answer. But I carried out Disconnected Mailbox list updating, about it is written in the first post.

    12…….. For updating of the Disconnected Mailbox list used:

    13.Get-MailboxDatabase

    14.Clean-MailboxDatabase "Mailbox Database

    I planned to adjust creation of mail boxes according to the instruction from virtual work No. 5. «Implementing Forefront Identity Manager 2010» http://technet.microsoft.com/en-us/ff793470 reference to virtual lab https://cmg.vlabcenter.com/default.aspx?moduleid=ee8ad2c3-1726-4914-8eec-137a09e3beba

    Before the beginning setup of creation mail boxes in the productive environment I decided to check, whether mail boxes from base are removed. Also came to a conclusion that are removed. Therefore decided to ask a question at a forum.

    You can prompt the reference how it is correct to adjust creation of mail boxes?

    Taras Galaka