none
How does Exchange handle disabled/expired Active Directory accounts?

    Question

  • Hello all,

    I am hoping someone can clarify this for me. If you disable or expire an account, does it take a while for those changes to take affect in regards to OWA?

    What I've noticed from my test network is:

    Exchange 2003: disabling or expiring an account will still allow mail to be sent to the mailbox, but trying to login via OWA is disabled as soon as the account is expired.

    Exchange 2010: disabling or expiring an account will still allow mail to be sent to the mailbox, but there is a short period of time where a user can still login to OWA even while the account is disabled or expired.

    Exchange 2007: I am not sure about this as I don't have this in my test lab.

    Am I correct in my observations? If so, why is there a window where a user can access OWA with a disabled account in Exchange 2010?

    Thanks!

    Sunday, July 11, 2010 2:20 PM

Answers

  • Hi,

    After disabling the mailbox account, just run IISReset on command line on Exch 2010 CAS server, and then it won't let you login.

    Regards,


    Laeeq Qazi|Team Lead(Exchange + Sharepoint + BES + DynamicsCRM) www.HostingController.com
    • Proposed as answer by Laeeq Qazi Thursday, July 15, 2010 9:28 AM
    • Marked as answer by Allen Song Friday, July 23, 2010 9:17 AM
    Sunday, July 11, 2010 6:13 PM
  • Hi,

    Yes, that's by design in Exchange 2007 and Exchange 2010. I can reproduce this issue.

    Thanks

    Allen

    • Proposed as answer by Laeeq Qazi Thursday, July 15, 2010 9:28 AM
    • Marked as answer by Allen Song Friday, July 23, 2010 9:16 AM
    Thursday, July 15, 2010 8:08 AM

All replies

  • With your 2010 lab how long is that period and was the account disabled whilst someone was already logged on or did you disable the account and then try to log on?
    "in2jars" wrote in message news:c9c7dc0f-ec07-43aa-b6bc-e9cae27c4cf7...

    Hello all,

    I am hoping someone can clarify this for me. If you disable or expire an account, does it take a while for those changes to take affect in regards to OWA?

    What I've noticed from my test network is:

    Exchange 2003: disabling or expiring an account will still allow mail to be sent to the mailbox, but trying to login via OWA is disabled as soon as the account is expired.

    Exchange 2010: disabling or expiring an account will still allow mail to be sent to the mailbox, but there is a short period of time where a user can still login to OWA even while the account is disabled or expired.

    Exchange 2007: I am not sure about this as I don't have this in my test lab.

    Am I correct in my observations? If so, why is there a window where a user can access OWA with a disabled account in Exchange 2010?

    Thanks!


    Mark Arnold, Exchange MVP.
    Sunday, July 11, 2010 3:40 PM
  • I am not sure how long exactly. I think it was longer than 30 minutes. I was logged on under another user in Windows. I just tried logging in OWA as the account I had disabled.

    So, I disabled the account, then tried to login in with OWA and it let me.

    My test lab has a 2003 and 2010 server in it (I was testing out a transition from 2003 to 2010). I did not think this was the behavior with 2003, so just to test I created a test user and placed their mailbox on the 2003 server. When I disabled the account and then tried to log in via OWA (with the URL of the 2003 machine so their is no redirection or anything to worry about) it would not let me. So the disabling was immediate on 2003.

    Sunday, July 11, 2010 3:55 PM
  • Hi,

    After disabling the mailbox account, just run IISReset on command line on Exch 2010 CAS server, and then it won't let you login.

    Regards,


    Laeeq Qazi|Team Lead(Exchange + Sharepoint + BES + DynamicsCRM) www.HostingController.com
    • Proposed as answer by Laeeq Qazi Thursday, July 15, 2010 9:28 AM
    • Marked as answer by Allen Song Friday, July 23, 2010 9:17 AM
    Sunday, July 11, 2010 6:13 PM
  • Hi,

    After disabling the mailbox account, just run IISReset on command line on Exch 2010 CAS server, and then it won't let you login.

    Regards,


    Laeeq Qazi|Team Lead(Exchange + Sharepoint + BES + DynamicsCRM) www.HostingController.com

    OK, I am wondering if this is by design or not? If I disable an account is there really a period of time where someone could still log in with OWA?
    Sunday, July 11, 2010 6:26 PM
  • Hi,

    Yes, that's by design in Exchange 2007 and Exchange 2010. I can reproduce this issue.

    Thanks

    Allen

    • Proposed as answer by Laeeq Qazi Thursday, July 15, 2010 9:28 AM
    • Marked as answer by Allen Song Friday, July 23, 2010 9:16 AM
    Thursday, July 15, 2010 8:08 AM
  • Hi,

     

    Sorry to re-awaken this one - but it is something I'm very interested in getting to the bottom of. I'm geting the same OWA issue in Exchange 2010 and was wondering if there was a way to prevent the behviour of users still being able to login to OWA, despite being locked or disabled.

     

    Is there a way to minimise this 'window of oppotunity'?

    Thanks,

    Chris

    Friday, February 25, 2011 2:44 PM
  • That's interesting to know. I would have expected that users in 2007/2010 would not be able to login as soon as Exchange gets notification of the change.
    Friday, February 25, 2011 2:53 PM
  • I think it's simply that notification interval that is the issue - it just seems (for me) too long. 
    Friday, February 25, 2011 3:47 PM
  • By design, please refer to articles below.

    Changing the Default Interval for User Tokens in IIS
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;152526

    XWEB: Mailbox Access via OWA Depends on IIS Token Cache
    http://support.microsoft.com/kb/173658



    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
    • Proposed as answer by Jamestechman Saturday, February 26, 2011 4:20 PM
    Friday, February 25, 2011 4:14 PM