Solved

Disabling AD account does not prevent mailbox access via OWA??

Posted on 2013-02-04
5
529 Views
Last Modified: 2013-02-04
I recently found out that even though a mailboxes' AD account is disabled, the mailbox can still be accessed via Outlook Web Access and ActiveSync. My question is this: does changing the AD account's password plug this security hole or must I also remove the mailbox. I need to keep mailboxes, belonging to terminated employees, until all data in them is archived. This takes about a week.

thank you
0
Comment
Question by:cyberleo2000
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 43

Expert Comment

by:Amit
ID: 38851627
reset the password, change the expire date and check again.
0
 
LVL 15

Expert Comment

by:jerseysam
ID: 38851631
If you change the user password then in theory the old user would not be able to use OWA so yes they could not grab their mail. Do this until mail is archived and then remove mailbox and delete AD user.
0
 
LVL 15

Accepted Solution

by:
jerseysam earned 500 total points
ID: 38851657
You could also use Exchange manager.

Right-click the user mailbox, properties, mailbox features, Outlook Web Access, and then disable
0
 

Author Comment

by:cyberleo2000
ID: 38851788
I did a bit more digging and found out that even if the password is changed the mailbox may still be access for a time, minutes to a few hours with the old password since IIS caches that information and it is not changes immediately. Seems like the best practice is a combination of disabling the password as well as disabling features such as activesync, owa and mapi in the mailbox settings. thanks.
0
 
LVL 43

Expert Comment

by:Amit
ID: 38851795
Password replication need some time.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
A hard and fast method for reducing Active Directory Administrators members.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question