none
Advice needed on mailbox accounts RRS feed

  • Question

  • Hi

    I am working for a company as an IT Security Officer (basically take charge of security compliance) and have only recently graduated. I have little experience with Active Directory and especially Exchange Server.  Something my boss asked me to look into is all these mailbox accounts we have in our active directory under the resource folder. 

    We were originally told that these accounts have low privileges by the IT support team. However, they all have weak passwords and I am not happy with that. I managed to log onto a mailbox account to determine what can be done on it. Turns out it has way too much access to the network and basically isn't locked down at all! I was fuming to say the least.

    Why do mailbox accounts need to be created as users in Active Directory under the resources OU? Is there a particular way to lock these accounts down and can they just be disabled once created? 

    Regards,

    RogueViper101 
    • Changed type Alan.Gim Tuesday, September 13, 2011 6:45 AM
    Thursday, September 8, 2011 11:00 AM

Answers

  • On Thu, 8 Sep 2011 11:00:03 +0000, RogueViper101 wrote:
     
    >Hi I am working for a company as an IT Security Officer (basically take charge of security compliance) and have only recently graduated. I have little experience with Active Directory and especially Exchange Server. Something my boss asked me to look into is all these mailbox accounts we have in our active directory under the resource folder. We were originally told that these accounts have low privileges by the IT support team. However, they all have weak passwords and I am not happy with that. I managed to log onto a mailbox account to determine what can be done on it. Turns out it has way too much access to the network and basically isn't locked down at all! I was fuming to say the least. Why do mailbox accounts need to be created as users in Active Directory under the resources OU?
     
    Only an AD user object can be assigned a mailbox. The OU was just
    named "resources" but the name has nothing to do with what it
    contains. It could just as well have been named "Elevators". :-)
     
    >Is there a particular way to lock these accounts down and can they just be disabled once created? Regards, RogueViper101
     
    There's no need for a user that's assigned a "resource" mailbox to be
    enabled in the AD. Nobody should be logging in as that user. Disable
    the user. Now the password doesn't matter. If you want to put a strong
    password on the disabled user, go ahead.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    • Proposed as answer by Alan.Gim Tuesday, September 13, 2011 6:45 AM
    • Marked as answer by Alan.Gim Wednesday, September 14, 2011 1:38 AM
    Friday, September 9, 2011 12:59 AM

All replies

  • On Thu, 8 Sep 2011 11:00:03 +0000, RogueViper101 wrote:
     
    >Hi I am working for a company as an IT Security Officer (basically take charge of security compliance) and have only recently graduated. I have little experience with Active Directory and especially Exchange Server. Something my boss asked me to look into is all these mailbox accounts we have in our active directory under the resource folder. We were originally told that these accounts have low privileges by the IT support team. However, they all have weak passwords and I am not happy with that. I managed to log onto a mailbox account to determine what can be done on it. Turns out it has way too much access to the network and basically isn't locked down at all! I was fuming to say the least. Why do mailbox accounts need to be created as users in Active Directory under the resources OU?
     
    Only an AD user object can be assigned a mailbox. The OU was just
    named "resources" but the name has nothing to do with what it
    contains. It could just as well have been named "Elevators". :-)
     
    >Is there a particular way to lock these accounts down and can they just be disabled once created? Regards, RogueViper101
     
    There's no need for a user that's assigned a "resource" mailbox to be
    enabled in the AD. Nobody should be logging in as that user. Disable
    the user. Now the password doesn't matter. If you want to put a strong
    password on the disabled user, go ahead.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    • Proposed as answer by Alan.Gim Tuesday, September 13, 2011 6:45 AM
    • Marked as answer by Alan.Gim Wednesday, September 14, 2011 1:38 AM
    Friday, September 9, 2011 12:59 AM
  • Many thanks for your reply. 

    So once we created a mailbox account can I disable it straight away or do I have to wait for some synchronisation between the exchange server? In order for emails to work.

    Many thanks,

    Mike 
    Friday, September 9, 2011 8:36 AM
  • On Fri, 9 Sep 2011 08:36:11 +0000, RogueViper101 wrote:
     
    >Many thanks for your reply. So once we created a mailbox account can I disable it straight away or do I have to wait for some synchronisation between the exchange server? In order for emails to work.
     
    Disable it as soon as you want to. E-mail delivery to the mailbox
    isn't going to be affected. It isn't the mailbox you're disabling,
    it's the user.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Saturday, September 10, 2011 12:26 AM