Disabled Users mailbox still accepts messages

[dixson]

We just found out that the mailboxes of disabled users on active directory still accept messagessent by other users on active directory. How do i prevent this from hapenning.

Windows 2003 AD SP2
Exchange 2003 sp2 on windows 2003 sp2

 

[Spirit]

You could:

remove the SMTP addresses.

Remove exchange attributes.

Iain

 

[Zelandakh]

This is not by design - have you waited for AD to replicate?

 

[xmsre]

If the disabled account had msExchMasterAccountSID attribute set (to SELF as it should - otherwise you get a 9548) then yes it continues to receive mail. The account is disabled and the user cannot log into the mailbox, but other accounts that have permissions to the mailbox or folders in it can access it. That is exactly how you set up a resource account. This is by design.

To stop all access to the mailbox, delete it, disconnect it (remove the exchange attributes from the disabled account) or simply remove the smtp address from the user account.

 

[ntinlin]

I think that change only came about with SP2 or a post-SP2 hotfix.
Before that for a disabled account you had to set the AssociatedExternalAccount right to allow it to receive mail.

Neill

 

[KRPGroup]

I believe you can also just hide the mailbox (from internal users) and use delivery restrictions and set the administrator or some other account as they only one that can send to the mailbox. This way you can keep the mailbox and no new mail will arrive.

 

[DanMIS]

Another option someone on this site recommended was to create a group with no members, then forward mail to that distribution group. The mail will die with no NDR's.

CCA Citrix 4.0
MCP 2003
70-290 Passed
70-291 Passed
70-270 Passed
70-284 - working on it...

 

[jaksen112]

DanMis's suggestion is right on, I've had this working for years.

Thanks,
Jackson

http://www.siserverguy.com

01110000

 

[dixson]

Thanks everybody....the easist way is to remove all the SMTP addresses on the mailbox.
Till some time ago, when we disabled a mailbox, all mesages to the user(internam or ecternal) would bounce back. Why in the first place this issue happen? is it the windows SP2 or some other patch?

 

[zbnet]

For the history of this issue, see

http://msexchangeteam.com/archive/2006/03/22/422799.aspx

The hotfix was included in Exchange SP2.

 

[xmsre]

If you don't put self as msExchaMasterAccountSID (the attribute that maps to the associated external account - they're the same thing. I prefer to use the name of the attribute msexchMasterAccountSID). If you don't set the attribute, then mail bounces and a 9548 is logged. The proper disposition is to disable the account and set the attribute until such time as you delete the account.

If you don't need access to the mail, and don't want NDRs, strip the smtp account from the user and give it to a DG with no members.

If you don't want the mail and do want it to NDR, just remove the smtp address from the user.

If you do want the mail, strip the smtp address from the user and add it to another mail enabled object (user or PF) where you want the mail to be delivered. Assign the party responsible for reviewing the mail appropriate permissions to the mail enabled object.

 

[xmsre]

zbnet,

Yes, the logic was finally changed in SP2. BTW, Alex Siegler is the author of NOMAS (and certainly a veteran of countless issues with synchronization between msexchMasterAccountSID and msexchSecurityDescriptor) although he gave it up long ago and I believe Dave Goldman is now the keeper of the code (along with oabinteg - more power to you Dave).