locked
Disable user immediately RRS feed

  • Question

  • We found out that, even we disable the user account in the AD and disable MAPI feature in the Exchange,

    If the user didnt logoff , then he can still able to open the outlook and send the email.

    Any method to make it happen?

    I am thinking, set the quota is small so that he can nnot send the email?

    Wednesday, August 22, 2012 1:26 AM

Answers

  • Hi,
    You can also remove fullmailbox access from "NT Authority\SELF", if you need to keep the mailbox for some time.

    Martina Miskovic

    • Marked as answer by Kenneth Yeung Friday, August 24, 2012 1:02 AM
    Wednesday, August 22, 2012 4:51 AM
  • You can disable the mailbox which disconnects the mailbox from the AD account, that will obviously make it so they can't log in, however some people may want to keep the mailbox, in that case you can disable the mailbox, run get-mailboxdatabase db1 |clean-mailboxdatabase, than just reconnect it to the same account, all cache will be flushed.

    You can also remove the nt authority\self on the account in the security tab of the user in ADUC.


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

    • Marked as answer by Kenneth Yeung Friday, August 24, 2012 1:02 AM
    Thursday, August 23, 2012 2:28 PM

All replies

  • I think your best bet for immediate effect is a transport rule.


    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

    Wednesday, August 22, 2012 2:20 AM
  • Or disable the mailbox.  You can always reconnect it again later (assuming deleted mailbox retention).

    Tony www.activedir.org blog:www.open-a-socket.com

    • Proposed as answer by Andy DavidMVP Wednesday, August 22, 2012 5:02 PM
    Wednesday, August 22, 2012 4:04 AM
  • Hi,
    You can also remove fullmailbox access from "NT Authority\SELF", if you need to keep the mailbox for some time.

    Martina Miskovic

    • Marked as answer by Kenneth Yeung Friday, August 24, 2012 1:02 AM
    Wednesday, August 22, 2012 4:51 AM
  • In order to immediately disable a domain user account, perform the following steps on the primary domain controller (PDC):

    Note: You must have domain administrative privileges in order to perform the following steps:
    1. In User Manager for Domains choose "Account Disabled" in Users Properties.
    2. Still in the Users Properties, choose "Hours" and then Disallow all hours for this user.
    3. Open Server Manager and disable the user sessions in server manager or type "net session \\computername /delete" at the command prompt.

    Thanks, Swapnil Prajapati

    Wednesday, August 22, 2012 5:56 AM
  • In order to immediately disable a domain user account, perform the following steps on the primary domain controller (PDC):

    Note: You must have domain administrative privileges in order to perform the following steps:
    1. In User Manager for Domains choose "Account Disabled" in Users Properties.
    2. Still in the Users Properties, choose "Hours" and then Disallow all hours for this user.
    3. Open Server Manager and disable the user sessions in server manager or type "net session \\computername /delete" at the command prompt.

    Thanks, Swapnil Prajapati


    I tried, not work.
    Wednesday, August 22, 2012 6:49 AM
  • disabling mapi updates the protocolsettings which is cached by the information store and may not take affect immediately until next refresh. You can disable and re-connect right away which should update the cache (in sp2 ru3)

    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

    Wednesday, August 22, 2012 3:32 PM
  • Hi Jame,

    What is the meaning of "can disable and re-connect right away " is it mean , remvoe "NT Authority\SELF" permission ?

    Thursday, August 23, 2012 12:54 AM
  • You can disable the mailbox which disconnects the mailbox from the AD account, that will obviously make it so they can't log in, however some people may want to keep the mailbox, in that case you can disable the mailbox, run get-mailboxdatabase db1 |clean-mailboxdatabase, than just reconnect it to the same account, all cache will be flushed.

    You can also remove the nt authority\self on the account in the security tab of the user in ADUC.


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

    • Marked as answer by Kenneth Yeung Friday, August 24, 2012 1:02 AM
    Thursday, August 23, 2012 2:28 PM