?
Solved

disabling users in active directory then enabling removes permissions

Posted on 2006-06-19
2
Medium Priority
?
243 Views
Last Modified: 2010-03-06
In the past, we have created a new user w/in AD and associating a mailbox on the exchange server & giving these accounts a typical password.  Well,  the new users are no longer contacting the IT department to get them up and running; other users are telling them what the initial password is.

What we have been doing is creating the user in AD + the mailbox - we send a welcome email to the user which then populates access rights (through a group policy) and then disabling the account.  We thought this was a good idea, since the password has become so "known".  The problem seems to be, once the account is created and all the necessary groups and permissions are in place and we disable it....once the employee begins and the account is enabled, it appears all group membership has disappeared along w/the access rights to the mailbox, so the mailbox is rejecting messages.  So, the mailbox has had to be deleted then recreated and all is fine and dandy.

I know we  can just change the initial password and not disable the account, and once the initial pw becomes "known" we can just change it again.  But, I'd like to find out why creating -> disabling -> enabling is messing up the configuration of the user.

Our security admin will not allow us to keep a record of user passwords - the initial passwords in a spreadsheet (he says it's a security risk - so that's out the window).  Any thoughts?
0
Comment
Question by:mdmcq5
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 13

Accepted Solution

by:
hstiles earned 750 total points
ID: 16935470
it isn't messing up the configuration, but I believe it is a common experiemnce for it to take an hour or more for the exchaneg attributes to propagate back to the user.  We no longer disable accounts as soon as a user leaves, but change the password, remove any remote access rights and leave it like that for a few weeks before exmerging their mailbox to a PST, moving home directory files and deleting account.
0
 

Author Comment

by:mdmcq5
ID: 16935797
We do the same for when a user leaves.

So, you're saying, when a user is disabled and then re-enabled, it will take an hour for the account info (including group membership & mailbox access) to propagate & become usable?
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to install and use the NTBackup utility that comes with Windows Server.
This article will help to fix the below error for MS Exchange server 2010 I. Out Of office not working II. Certificate error "name on the security certificate is invalid or does not match the name of the site" III. Make Internal URLs and External…
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question