Disabling AD account does not prevent mailbox access via OWA??

Posted on 2013-02-04
Last Modified: 2013-02-04
I recently found out that even though a mailboxes' AD account is disabled, the mailbox can still be accessed via Outlook Web Access and ActiveSync. My question is this: does changing the AD account's password plug this security hole or must I also remove the mailbox. I need to keep mailboxes, belonging to terminated employees, until all data in them is archived. This takes about a week.

thank you
Question by:cyberleo2000
  • 2
  • 2
LVL 43

Expert Comment

ID: 38851627
reset the password, change the expire date and check again.
LVL 15

Expert Comment

ID: 38851631
If you change the user password then in theory the old user would not be able to use OWA so yes they could not grab their mail. Do this until mail is archived and then remove mailbox and delete AD user.
LVL 15

Accepted Solution

jerseysam earned 500 total points
ID: 38851657
You could also use Exchange manager.

Right-click the user mailbox, properties, mailbox features, Outlook Web Access, and then disable

Author Comment

ID: 38851788
I did a bit more digging and found out that even if the password is changed the mailbox may still be access for a time, minutes to a few hours with the old password since IIS caches that information and it is not changes immediately. Seems like the best practice is a combination of disabling the password as well as disabling features such as activesync, owa and mapi in the mailbox settings. thanks.
LVL 43

Expert Comment

ID: 38851795
Password replication need some time.

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the steps required to use the default Photos screensaver to display branding/corporate images
This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates‚Ķ
how to add IIS SMTP to handle application/Scanner relays into office 365.

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question