disabling users in active directory then enabling removes permissions
Posted on 2006-06-19
In the past, we have created a new user w/in AD and associating a mailbox on the exchange server & giving these accounts a typical password. Well, the new users are no longer contacting the IT department to get them up and running; other users are telling them what the initial password is.
What we have been doing is creating the user in AD + the mailbox - we send a welcome email to the user which then populates access rights (through a group policy) and then disabling the account. We thought this was a good idea, since the password has become so "known". The problem seems to be, once the account is created and all the necessary groups and permissions are in place and we disable it....once the employee begins and the account is enabled, it appears all group membership has disappeared along w/the access rights to the mailbox, so the mailbox is rejecting messages. So, the mailbox has had to be deleted then recreated and all is fine and dandy.
I know we can just change the initial password and not disable the account, and once the initial pw becomes "known" we can just change it again. But, I'd like to find out why creating -> disabling -> enabling is messing up the configuration of the user.
Our security admin will not allow us to keep a record of user passwords - the initial passwords in a spreadsheet (he says it's a security risk - so that's out the window). Any thoughts?