Exchange 2007, Outlook Anywhere, and Active Directory security
Posted on 2009-07-13
We've been running Exchange 2007 for well over a year now, and we've been using Outlook Anywhere (HTTP/RPC) from the beginning.
The other day however we ran into something we hadn't noticed before and which we've been unable to solve, which is as follows:
If a user has Outlook running using Outlook Anywhere (HTTP/RPC), and we disable their account in Active Directory, they continue to be able to use Outlook to send/receive mail, and can manage their mailbox, including being able to delete mail, for as long as they leave Outlook running.
This came about because we fired someone, and disabled their AD account. Their manager wanted the mailbox kept as it was, but we later found out that the person had been Outlook for hours afterwards, and wiped all the mail from the account (we were able to recover it, of course, but at a waste of a lot of our time to do that).
Our own testing later confirmed all this - so long as the person doesn't quit the Outlook application, they can keep using their mailbox as long as they like, we've had it going for up to eight full hours on an account which was disabled in AD.
We also confirmed this applied only to Outlook Anywhere - if the user was signed-in to our VPN (which we provide via ISA 2005) and we disabled their account they would be cut-off and couldn't get back in, exactly as you would expect.
Similarly, we've confirmed that once the account was disabled, it was no longer possible to login to OWA, or to continue to use it if you were already logged-in: the problem appears to be specific to Outlook Anywhere.