Dabowitt
asked on
Remove homeMDB attribute on disabled AD Account
When a user leave our organization we disabled the account for 90-120 days. This allows us to re-enable accounts if the person returns to the organization. When we do this we start getting Event ID 9548 errors on our Exchange 2000 server as shown below
Event Type: Warning
Event Source: MSExchangeIS
Event Category: General
Event ID: 9548
Date: 12/19/2003
Time: 9:09:37 AM
User: N/A
Computer: JFCMAIL
Description:
Disabled user /O=EXCHANGE/OU=COMPANY/CN=
Now we don't want to re-enable to the account and my reading has come across that if I delete the homeMDB attribute the e-mail account will become invisible to Exchange.
Is the best way to approach this issue?
If yes, can I re-enable the account if the user returns?
How do I access this attribute to delete it since Exchange Tasks in AD deletes all attributes?
Other options?
Thanks,
David
Event Type: Warning
Event Source: MSExchangeIS
Event Category: General
Event ID: 9548
Date: 12/19/2003
Time: 9:09:37 AM
User: N/A
Computer: JFCMAIL
Description:
Disabled user /O=EXCHANGE/OU=COMPANY/CN=
Now we don't want to re-enable to the account and my reading has come across that if I delete the homeMDB attribute the e-mail account will become invisible to Exchange.
Is the best way to approach this issue?
If yes, can I re-enable the account if the user returns?
How do I access this attribute to delete it since Exchange Tasks in AD deletes all attributes?
Other options?
Thanks,
David
ASKER
Yes, I know it is normal behavior and I reviewed eventID.net. Since this is a bothersome logging in the Event log I want to either disable the logging or fix what is causing the event to happen.
Perhaps the workaround here, as it relates.
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q278966
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q278966
Not my recommendation though... nothing is broke here, it's just an annoyance. Good luck!
Another... I'd be inclined to try this one first, rather than the above:
http://support.microsoft.com/default.aspx?scid=kb;[LN];291151
http://support.microsoft.com/default.aspx?scid=kb;[LN];291151
ASKER
I guess this is just going to be an annoyance.
Jason, the first one will probably work but more a major task than I want to undertake. In the case of 291151, I checked the disabled user and both attributes have full access so this isn't the case. But thanks! Any other suggestions otherwise I will award Jason the points for the comments.
Jason, the first one will probably work but more a major task than I want to undertake. In the case of 291151, I checked the disabled user and both attributes have full access so this isn't the case. But thanks! Any other suggestions otherwise I will award Jason the points for the comments.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
We did this but what we did was create an OU named disabled users, then we disabled the account and move the account to the new OU. I like your idea where we don't disable the account but disable all the access capabilities via GPO. This should be interesting!
The question now is can we disable account access via GPO to do the same thing as disabling the account?
David
The question now is can we disable account access via GPO to do the same thing as disabling the account?
David
Something along thes elines...
http://support.microsoft.com/default.aspx?scid=kb;[LN];Q318714#10
I think this only denies network resources though... they probably can still login to the workstation locally. If so, so much for that theory.
http://support.microsoft.com/default.aspx?scid=kb;[LN];Q318714#10
I think this only denies network resources though... they probably can still login to the workstation locally. If so, so much for that theory.
The first poster here has an alternative you could consider, if the events are bothersome:
http://www.eventid.net/display.asp?eventid=9548