none
Should there be any security concerns about disabled Active Directory Objects created by Exchange?

    Question

  • One of the security analyst in my agency asked if the disabled objects in our resource container can be deleted. Of course my short answer was no they cannot. However they are doing an audit of user accounts because the password hasn't been change on the account or logged into since creation it comes up flagged. So they want some specifics as to why the disabled objects can't be deleted. They are thinking that if the object is disabled and we are hybrid O365 why do we need the accounts. So I guess I need something other than my word as to why they should remain and the purpose. These are accounts such as resource calendars and equipment like printers.

    Are there any resources that you can point me to that I can read/give to them about the disabled resource accounts created in Exchange by AD?


    Thad Brown

    Tuesday, May 15, 2018 7:50 PM

All replies

  • In case you didn't notice, I am rolling my eyes.  Not at you, by the way.  Why is it that so-called security analysts insist on spending lots of money and resources minimizing nonexistent risks?  Before you blindly follow a so-called analyst's recommendation or demand, insist that he give your a risk assessment.

    In a hybrid or otherwise directory-synchronized environment, deleting an on-premises security principal will cause the corresponding Office 365 mailbox to be deleted.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Tuesday, May 15, 2018 9:36 PM
    Moderator
  • Shared mailboxes and resource accounts have AD disabled accounts by default. Would they be happier if you enabled the AD account and set a password? that seems less safe then being disabled.
    Tuesday, May 15, 2018 10:02 PM
    Moderator
  • Ok. I said the same thing about the account being disabled as there is no way to login. As well as Exchange uses the account features but doesn't require the user account to be logged into. Thanks for your response I will ask the analyst about the risk assessment and the concerns. I also have another question that was asked of me. It is still related to the Exchange resource printers. In our old on-premise only setup we needed individual accounts because each machine sent directly to the on-premise mail server. Since we are in hybrid mode and we use SMTP client submission using a cloud only account with our MFP printers, do we still need the printer listed in AD as an equipment resource? Sorry everyone is worried about security these days.


    Thad Brown

    Wednesday, May 16, 2018 5:26 PM
  • It's hard to send mail to Exchange Online without creating an inbound connector, and that's a difficult thing to do for things like scan-to-mail devices, so the best way to do that is to send using port 587 and authentication, which requires a licensed account.  This kind of thing is much easier with an on-premises Exchange hybrid server.  Your devices send to it, which routes the mail to Exchange Online.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Wednesday, May 16, 2018 8:32 PM
    Moderator
  • I hope, this earlier discussed thread should help to clarify your concern in depth :

    Are there any dangers of leaving AD user accounts disabled and not deleted?

    https://community.spiceworks.com/topic/334919-are-there-any-dangers-of-leaving-ad-user-accounts-disabled-and-not-deleted


    Regards, Alaina Jodi Shoviv Exchange Recovery Manager

    Thursday, May 17, 2018 11:27 AM