locked
Disabling / deleting exchange mailbox using FIM 2010 RRS feed

  • Question

  • Hi,

    Can we use Active Directory MA for disabling and de-provisioning the Exchange mailbox for users ?

    For provisioning the exchange mailbox, we need to set the required exchange attribute mappings in AD Outbound sync rules, but i am not clear for disabling or deletion of Exchange mailbox using FIM .

    Please suggest.


    Mayank Vaish
    Tuesday, January 3, 2012 3:21 AM

Answers

  • There is a general guideline for de-provisioning in FIM but you won't find anything in there about mailbox operations (clear/delete) because these are not standard use cases supported by the AD MA.  On the mailbox provisioning side, as you probably know, all is done via a controlled PowerShell/MA interaction, but this does not extend to de-provisioning.  This is possibly because there are no universal rules governing what should/shouldn't happen with mailboxes once the linked AD account is disabled ... and these generally vary from organisation to organisation.

    In general the standard options you have at your disposal (assuming for the moment you are using a sync rule to disable the AD account) are simply the following:

    • using the standard Notification activity in an action workflow which fires (e.g. by a request-based MPR on employeeStatus changes) when the account is disabled (or maybe say 30 days later than this) to alert a sysadmin that some form of manual "maibox cleanup" is required 
    • using custom workflow activities (if you have a clear set of rules to apply in 100% of cases) to perform tasks such as empty or delete mailbox
    • using some other "out-of-bounds" housekeeping activity (e.g. PowerShell script) to run on a schedule to perform the above tasks on accounts which meat your search criteria (e.g. accounts disabled for x days)

    Bob Bradley (FIMBob @ http://thefimteam.com/) ... now using Event Broker 3.0 @ http://www.fimeventbroker.com/ for just-in-time delivery of FIM 2010 policy via the sync engine
    • Marked as answer by Mayank Vaish Wednesday, January 4, 2012 3:12 AM
    Tuesday, January 3, 2012 5:32 AM
  • Good explanation by Bob.

    If you want to go the Powershell way, you could use my Powershell MA (http://blog.goverco.com/2011/06/powershell-management-agent-for-fim.html)


    Regards, Soren Granfeldt
    http://granfeldt.blogspot.com
    • Marked as answer by Mayank Vaish Wednesday, January 4, 2012 3:12 AM
    Tuesday, January 3, 2012 8:02 PM
  • I usually do this with a PowerShell workflow activity. Just fire the Disable-Mailbox call when the right criteria causes a set transition. For that matter I also usually do the Enable-Mailbox this way as well as it's way more flexible.
    My Book - Active Directory, 4th Edition
    My Blog - www.briandesmond.com
    • Marked as answer by Mayank Vaish Wednesday, January 4, 2012 3:25 AM
    Tuesday, January 3, 2012 8:04 PM

All replies

  • There is a general guideline for de-provisioning in FIM but you won't find anything in there about mailbox operations (clear/delete) because these are not standard use cases supported by the AD MA.  On the mailbox provisioning side, as you probably know, all is done via a controlled PowerShell/MA interaction, but this does not extend to de-provisioning.  This is possibly because there are no universal rules governing what should/shouldn't happen with mailboxes once the linked AD account is disabled ... and these generally vary from organisation to organisation.

    In general the standard options you have at your disposal (assuming for the moment you are using a sync rule to disable the AD account) are simply the following:

    • using the standard Notification activity in an action workflow which fires (e.g. by a request-based MPR on employeeStatus changes) when the account is disabled (or maybe say 30 days later than this) to alert a sysadmin that some form of manual "maibox cleanup" is required 
    • using custom workflow activities (if you have a clear set of rules to apply in 100% of cases) to perform tasks such as empty or delete mailbox
    • using some other "out-of-bounds" housekeeping activity (e.g. PowerShell script) to run on a schedule to perform the above tasks on accounts which meat your search criteria (e.g. accounts disabled for x days)

    Bob Bradley (FIMBob @ http://thefimteam.com/) ... now using Event Broker 3.0 @ http://www.fimeventbroker.com/ for just-in-time delivery of FIM 2010 policy via the sync engine
    • Marked as answer by Mayank Vaish Wednesday, January 4, 2012 3:12 AM
    Tuesday, January 3, 2012 5:32 AM
  • Good explanation by Bob.

    If you want to go the Powershell way, you could use my Powershell MA (http://blog.goverco.com/2011/06/powershell-management-agent-for-fim.html)


    Regards, Soren Granfeldt
    http://granfeldt.blogspot.com
    • Marked as answer by Mayank Vaish Wednesday, January 4, 2012 3:12 AM
    Tuesday, January 3, 2012 8:02 PM
  • I usually do this with a PowerShell workflow activity. Just fire the Disable-Mailbox call when the right criteria causes a set transition. For that matter I also usually do the Enable-Mailbox this way as well as it's way more flexible.
    My Book - Active Directory, 4th Edition
    My Blog - www.briandesmond.com
    • Marked as answer by Mayank Vaish Wednesday, January 4, 2012 3:25 AM
    Tuesday, January 3, 2012 8:04 PM
  • wont disabling user's ad account (e.g., userAccountControl = 514) disable his ability to send email as well?
    Saturday, June 9, 2012 8:41 AM
  • I am interested in this subject.

    It seems that Powershell cmdlets are the way to go. But, isnt it true that these Exchange cmdlets have to run on the Exchange server? This would mean that the PS Exchange cmdlets are remotely called with all the problems associated with that.

    Is a "How to guide" with FIM and remote PS Exchange cmdlet calls available somewhere?

    We want FIM and Exchange to work together. We are happy with the basic FIM way of creating a Mailbox (via AD attributes) rather than calling Enable-Mailbox cmdlet.. its just that we have a problem getting FIM to react to the Exchange Admin sometimes running Disable-Mailbox or its console equivalent.

    And I dont think disabling the AD account will stop him sending mail. He surely wont start Outlook client as he cant login or be authenticated by AD, but there is nothing to prevent him using smtp. He could write his own java/C#/PS client and access the exchange server that way to send mail. Reading messages from his Exchange mailbox might be trickier though with a locked AD account.

    Monday, January 7, 2013 10:27 AM