• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 470
  • Last Modified:

Disabled Accounts

We have an employee that was terminated and we want to disable his AD account.  If we disable his account but forward his mail to someone else - will the mail be sent on?

Thanks,
Scott
0
scottvin
Asked:
scottvin
  • 6
  • 5
  • 2
  • +2
3 Solutions
 
LeeDerbyshireCommented:
Mail sent to disabled accounts will get rejected, unless you tweak some of its AD properties.  I think you will find it easier to just assign the existing email address to another user in ADUC.

I've never tried the aforementioned tweaks, but I think this describes what you would need to do to get mail accepted, even then, I don't know if the server-side rules would continue to work:

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q319047
0
 
scottvinAuthor Commented:
Hmm - I set up a test account, disabled the account and set it up to forward to my account and the emails are being forwarded.  Should they not be?
0
 
LeeDerbyshireCommented:
As far as I know, they should get rejected - that is what I have always believed.  I would wait for a few hours until you can be sure that your AD has updated completely.  Which version of Exchange do you have?  I have servers running all versions here, so I can try to duplicate your findings.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
amaheshwariCommented:
What you can do is Go to user properies in ADUC and Place a forwarder in Exchange General ...Delivery Options Set the Forwarder...And then go to Exchange Advanced and Hide user from Address list .Now user can not be seen in Global address list of exchange.

If you want that user can not access his AD account just reset user's password.


Thanks
Ashish
0
 
mulshoeferCommented:
Couldn't you just add the address under the Email-addresses tab in AD and then you can either delete the old account or leave it disabled with new mailbox attached to it?
0
 
scottvinAuthor Commented:
I have Exchange Server 2003 Enterprise and mixed 2000 and 2003 domain controllers.

I have checked the ADUC in each domain controller and the account is disabled.  We reset the password as well, I am just interested as to why it is still receiving mail if it is not supposed to be.
0
 
LeeDerbyshireCommented:
This suggests that internal mail will be delivered, but not external mail.  If I'm reading it correctly.

http://www.eggheadcafe.com/aspnet_answers/Exchangeadmin/Apr2006/post26860284.asp
0
 
scottvinAuthor Commented:
hmm - just sent that Test Account an email from my Gmail account and it went through.

Also, I cannot login using that account to the network.
0
 
LeeDerbyshireCommented:
I disabled a test account here, and mail gets delivered to it okay - both internally and externally.  Either I'm wrong about this, or you have to wait a really long time for it to take effect.  If it's still accepting mail tomorrow, I'll have to do some serious research into this, and see why there appears to be so much conflicting information.
0
 
mulshoeferCommented:
Exchange takes a long time for certain items to update.  When working with their support, they told us some changes take 2-3 hours to take place.  
0
 
LeeDerbyshireCommented:
This article suggests that it might take several hours:

http://hellomate.typepad.com/exchange/2004/07/ndrs_disabled_a.html

It also seems to suggest that even though an NDR is generated, the mail still actually gets delivered.
0
 
scottvinAuthor Commented:
Well, I will try 24 hours from when I disabled the account and let you all know.
0
 
SembeeCommented:
The other option is don't disable the account.
If the user has been ejected out of the building, change their password, reboot the workstation. Then hide the account from the GAL, strip it of all permissions and then set the logon to options on the account to be the domain controller or something. That account cannot be used, but will still function.

Although if you are only worried about email, hide the account from the GAL, set a forward on the account and then move the SMTP address. Disable the account and all internal email will fail. External email will go with the SMTP address.

Simon.
0
 
LeeDerbyshireCommented:
Well, today I'm getting NDRs if I send to my disabled test account, but the mail does seem to get delivered.  If you want the account disabled, it looks like you'll need to do the AD hack to get rid of the NDRs, and then forward the mail.  I think the best options are the ones already mentioned, i.e. assigning a special password, and letting the mailbox continue as before, but give someone else access or forward the mail; or disable the account, but give the email address to another user.  You've a few options actually, it depends if you want the mail going to the same mailbox, or not; and who you want any replies going from.
0
 
scottvinAuthor Commented:
Still forwarding both external and internal mail today.   I am not receiving any NDRs however I am not keeping a copy for that account.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 6
  • 5
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now