none
How can the "ExchangeUserAccountControl" parameter be modified? RRS feed

  • Question

  • I currently run a script daily that disables users in AD for inactivity. When this script disables someone it does so just in AD and there account is still able to receive e-mail. This is exactly what we want.

    Now, someone who was here before ran a similar script that he wrote, except all the users that were disabled by his script return undeliverables when you attempt to mail them. This is not how we want it to work and I don't have a copy of his script to see what exactly it did.

    What I have been able to tell is that the difference between an account disabled with my script and an account disabled by his script is that accounts that were disabled by his script have the "ExchangeUserAccountControl" parameter set to "AccountDisabled" and the ones done my mine have this parameter set at "None."

    I can't figure out how to undo this. How does one go about getting ExchangeUserAccountControl set back to None

    Monday, May 7, 2012 6:55 PM

Answers

All replies

  • Hi,

    you are able to disable an user account using Active Directory. This means that the account is able to receive new mails. Is you disable the account using Exchange mechanism then the Exchange specific attributes for this account are removed from the userraccount but the useraccount itsself resides as enabled. So the mailbox data is removed.

    So if you want to achive disabling the user and leave the possibility receiving mails you have zo disable the userraccount using Active Directory mechanism.


    regards Thomas Paetzold visit my blog on: http://sus42.wordpress.com

    Monday, May 7, 2012 7:32 PM
  • To further clarify... here is the output of a get-mailbox for an example user. This user was previously disabled by a script that I don't have access to. I have re-enabled the user in AD, but how do I get the mailbox back? It still shows as AccountDisabled...
    Monday, May 7, 2012 7:49 PM
  • Hi,

    as I mentioned above. If you disable an account using e.g. Exchange Management console then you remove the mailbox settings from the active directory userr. so the mailbox is deleted. Please have a look at the disconnected mailbox in Exchange management Console. there you are able to reconnect the mailbox if you have configured a retention time for mailbox deletion.

    If mailbox retention time is set to 0 then you have to restore the mailbox from the backup.

    Kind regards.

      Thomas


    regards Thomas Paetzold visit my blog on: http://sus42.wordpress.com

    Monday, May 7, 2012 7:53 PM
  • The user is not in the Disconnected Mailbox list in Exchange Management Console, it is in the Mailbox list. It never was in the Disconnected Mailbox list.

    If the user was in the Disconnected Mailbox list I couldn't have posted that screenshot as Get-Mailbox would've errored out saying it couldn't find the user.

    What I need to know is how to modify the "ExchangeUserAccountControl" parameter, because apparently that is what is making Exchange reject messages for these mailboxes.

    Because I don't have access to the script that originally disabled these users, I don't know how that parameter even got changed. I really have no idea what the ExchangeUserAccountControl parameter even does or describes... I know disabling a user in AD changes the UserAccountControl parameter but it doesn't seem to affect the ExchangeUserAccountControl.

    Monday, May 7, 2012 8:27 PM
  • Hi

    I think he changed the mailbox type, I tried convert a normal mailbox to a room mailbox, this parameter changed.

    Could you please double check the parameter RecipientTypeDetails

    Cheers

    Zi Feng


    Zi Feng

    TechNet Community Support

    Tuesday, May 8, 2012 6:09 AM
    Moderator
  • Dang... I was hoping you were right. I checked it this morning when I got into work and both RecipientType and RecipientTypeDetails are set to UserMailbox.

    Thanks, anyway.

    Tuesday, May 8, 2012 1:40 PM
  • Maybe I should start here... Can anyone explain to me the conditions that specifically cause the ExchangeUserAccountControl parameter to be set to AccountDisabled?
    Tuesday, May 8, 2012 7:50 PM
  • Hi

    When you Disable the user Account in AD, this parameter will change to AccountDisabled.

    You could refer to Disable or enable a user account

    http://technet.microsoft.com/en-us/library/cc781527(v=ws.10).aspx

    Cheers

    Zi Feng


    Zi Feng

    TechNet Community Support

    Wednesday, May 9, 2012 5:40 AM
    Moderator
  • I have not seen that this is true. When I disabled an AD account the ExchangeUserAccountControl parameter does not change. The UserAccountControl parameter does, but not the ExchangeUserAccountControl.

    Here is an example of an account after it was disabled in AD...

    Wednesday, May 9, 2012 1:46 PM
  • Hi

    You should wait for a few minutes, it will not change immediately

    Cheers


    Zi Feng

    TechNet Community Support

    Thursday, May 10, 2012 2:56 AM
    Moderator
  • I had a similar, but reverse issue.

    Out of a store of terminated users, there was only one whose "ExchangeUserAccountControl" was set to None.

    I tried re-enabling, and then disabling again - no success

    I tried PowerShell to set the field manually to "AccountDisabled" - it won't let you.

    I resorted to comparing a get-mailbox|fl for the user that had the issue to one that did not. The only difference between them was that the "broken" user had a value in "Custom Attribute 1". After I removed that entry, voila, the account flipped to "AccountDisabled". I have no earthly idea what a custom attribute could have to do with the ExchangeuserAccountControl field - go figure.

    I have not tried to add that field to another user to intentionally "break" it again, but it might be worth a shot.

    Cacophony777 - maybe your script adds a custom attribute where the one before yours did not?

    Wednesday, November 14, 2012 9:09 PM
  • Cacophony777,

    Did you ever find out what was causing this? I have a similar situation with EX2010, where the AD account is enabled, is a user mailbox, and is not disconnected, but Get-mailbox is still ExchangeUserAccountControl:AccountDisabled

    I even toggled the AD account to see if that would break it loose, no luck though.

    • Proposed as answer by j.ware Tuesday, April 30, 2013 10:12 PM
    • Unproposed as answer by j.ware Tuesday, April 30, 2013 10:12 PM
    Tuesday, April 9, 2013 3:07 PM
  • @newdamage1

    Check the users msExchHideFromAddressLists attribute, is it set to False?  If so hide him from the GAL, then unhide him.  This attribute should be blank for normal user accounts that are enabled, I think False is only for disabled accounts that you still want to show up in the GAL, and having False on an enabled account causes ExchangeUserAccountControl to be set to AccountDisabled.

    Tuesday, April 30, 2013 10:15 PM
  • I know this is an old post, but I didn't see an answer posted.  I think if you use Set-Mailbox <MailboxID> with no parameters it will call to AD and update the Exchange object's properties.

    I should add that there is no relationship between this property and mail delivery, there are 2 things I would recommend to troubleshoot this delivery issue.  One is to look at the NDR, for example I had a similar case, the NDR said it was an authentication problem, which lead me to see a property had been flipped on the mailbox to only accept mail from authenticated users, which meant internet mail got NDR-ed.  Secondly open 2 EMS windows and place them side-by-side so you can compare the properties of the dysfunctional mailbox to those of a known healthy mailbox.  Chances are you will ID the property that's causing the delivery failure.

    Also note if your gateway does any kind of LDAP look up it could be an issue, but your original post didn't seem specific to inbound mail so I otherwise can't say.


    SGS

    Wednesday, December 31, 2014 3:48 PM