Solved

Disabled AD account and user still able to send emails after 1 hour

Posted on 2014-04-17
25
5,208 Views
Last Modified: 2014-05-01
Hello Experts

I have a client that recently disable an account in AD at 11:00 AM EST today for one exiting employee, however the employee was able to send an email around noon, I mean after one hour his account was disabled in AD

Please correct me if I'm wrong, but when an AD account is disabled, the mailbox is automatically disabled and moved to an exchange container called Disconnected mailboxes that you can see on Exchange management console[Exchange 2010]

What could be happen that an user is still able to send emails after one hour even if the AD account is disable?

I know by default the replication in AD takes 15 minutes and you can force the replication among all DCs, so, we do have a child tree domain with 3 domains. Our exchange servers are 2010 SP3 and forest/domain level is Windows 2008 R2

How long will take to replicate all changes in AD and Exchange once an account is disabled?

Is there a manual task required to be performed in Exchange once a AD account is disabled?

Is there a power shell cmdlet that we can use to identify when an AD account was disabled and display all properties for that user? same for exchange,

Please advice
0
Comment
Question by:Jerry Seinfield
  • 7
  • 6
  • 6
  • +3
25 Comments
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40007226
disabling an AD account doesn't disconnect the mailbox
you disconnect the mailbox through EMC or EMS

Disable a Mailbox
http://technet.microsoft.com/en-us/library/bb123730%28v=exchg.141%29.aspx
0
 
LVL 2

Expert Comment

by:NxJNY
ID: 40007227
are they sending from a mobile device or a domain PC?
0
 

Author Comment

by:Jerry Seinfield
ID: 40007279
From both, one user sent from a mobile phone and the other user from a domain laptop
0
 
LVL 2

Expert Comment

by:NxJNY
ID: 40007290
i know that once a AD account is disabled it takes about 24 hours for it to sync up with OMA. if the domain laptop has a POP email account that maybe the answer to your question also
0
 

Author Comment

by:Jerry Seinfield
ID: 40007292
so, if I understood correctly, if  disable only the account in AD, this will not disable automatically the mailbox? correct?

if the above assumption is correct, what do you mean by it takes 24 hours to sync up with OMA?
0
 
LVL 2

Assisted Solution

by:NxJNY
NxJNY earned 63 total points
ID: 40007387
0
 
LVL 37

Assisted Solution

by:Jamie McKillop
Jamie McKillop earned 125 total points
ID: 40007476
This has to do with open sessions not expiring when the account is disabled. To get around this, when you term a user, set the logon hours to "logon denied" for all hours. This will immediately terminate any open sessions.

For more details, see here - http://jamiemckillop.wordpress.com/2012/10/06/properly-terminating-user-access/

-JJ
0
 
LVL 16

Assisted Solution

by:Enphyniti
Enphyniti earned 312 total points
ID: 40007509
I wrote a "super disable" script to address this issue that performs the following:

 - Disables the user account in AD
 - Disables OWA/OMA access
 - Queries and blocks connections from any mobile device associated to the user
 - Disables activesync access
 - resets the user password

This covers *most* of the holes in email access after disabling.

Granted, you could get around the issue by restarting IIS on your CAS, but that is not something I can do at will.
0
 

Author Comment

by:Jerry Seinfield
ID: 40007583
Enphyniti, can you please provide your super disable script to address this issue?
0
 
LVL 16

Assisted Solution

by:Enphyniti
Enphyniti earned 312 total points
ID: 40007662
Hrmm... why not?

Note: this was written to be used interactively (think helpdesk staff) so there is a bit of user interface, if you will.

It requires Exchange management shell and the activedirectory module.  Will bork without both.

Note: if you want to remote wipe the mobile devices, you need to do it before you block them from connecting.

Use at your own risk, no guarantees, yada yada yada - I am a poor programmer.

Just run it and follow the prompts.

Also - I reviewed and scrubbed the file of sensitive information, but if I missed anything, please let me know.

if (!(get-command get-mailbox -errorAction SilentlyContinue)) {
	write-host
	write-host
	Write-Host -f red "Looks like you are not running in the Exchange Management Shell"
	write-host
	Write-host -f Yellow "Please make sure you are running the Exchange Management Shell (Exchange Powershell)"
	write-host
	write-host
	exit
	}



import-module activedirectory -errorAction SilentlyContinue
if (!(get-command get-AdUser -errorAction SilentlyContinue)) {
	write-host
	write-host
	Write-Host -f red "Looks like you do not have AD mgmt available on this system"
	write-host
	Write-host -f Yellow "Please install active directory management module"
	write-host
	write-host
	exit
	}


clear
write-host
write-host
write-host -f black -b cyan ============= Super Disable User Script =============
write-host
write-host
write-host
write-host -f cyan "This script performs the following on the user object:"
write-host -f yellow "      -Disables the user account"
write-host -f yellow "      -Disables OWA access"
write-host -f yellow "      -Blocks all mobile devices associated with this account (this account only)"
write-host -f yellow "      -Disables ActiveSync Access"
write-host -f yellow "      -Resets the user password"
write-host
write-host -f cyan "...Not necessarily in that order."
write-host
write-host -f yellow "NOTE:  If you wish to wipe their remote device, it must be done BEFORE running this script."
write-host
write-host


$validUser = "false"
while ($validUser -ne "true") {
	write-host
	$disUser = read-host "Please enter username to be disabled"
	try {
		get-aduser $disUser | out-Null
		$validUser = "true"
		} catch {
		write-host
		write-host -f red "User " -nonewline; write-host -f yellow $disuser -nonewline; write-host -f red " cannot be found."
		}
	}
write-host
write-host -f cyan "User " -nonewline; write-host -f yellow $disuser  -nonewline; write-host -f cyan " found."
write-host -f cyan "Are you sure you want to Super-Disable user: " -nonewline; write-host -f yellow $disUser -nonewline; write-host -f cyan ?
write-host
$yes = New-Object System.Management.Automation.Host.ChoiceDescription "&Yes",""
$no = New-Object System.Management.Automation.Host.ChoiceDescription "&No",""
$choices = [System.Management.Automation.Host.ChoiceDescription[]]($yes,$no)
$result = $Host.UI.PromptForChoice($caption,$message,$choices,1)
if($result -eq 1) { 
	write-host
	write-host -f red "Canceling operation"
	write-host
	write-host
	exit }
write-host
write-host
write-host

<#
	Block existing mobile device IDs.  Begin by init DevicesList array.  Return current device IDs
	Loop through IDs to poulate array and then re-pop using unique values only (avoids errors on next statement)
	block unique device IDs
#>

[array] $devicesList = $null
write-host -f cyan "Disabling associated mobile devices from accessing this account..."
$devices = (Get-ActiveSyncDeviceStatistics -Mailbox $disuser)
foreach ($dev in $devices) {
	$devicesList += $dev.deviceID
	}
$devicesList = $devicesList | select -uniq
set-CASMailbox -Identity $disUser -ActiveSyncBlockedDeviceIDS $devicesList

# Disable ActiveSync for user account
Write-host -f cyan "Disabling user ActiveSync access..."
Set-CASMailbox -Identity $disUser -ActiveSyncEnabled $false


# Disable OWA Services for user account
Write-host -f cyan "Disabling user OWA Access..."
Set-CASMailbox -Identity $disUser -OwaEnabled $false
Set-CASMailbox -Identity $disUser -EwsEnabled $false
Set-CASMailbox -Identity $disUser -EcpEnabled $false


# Reset user password
write-host -f cyan  "Enter new password for user: " -noNewLine
$disUserPass = read-host -asSecureString
set-ADAccountPassword $disUser -newpassword $disUserPass
write-host -f cyan "User password reset..."


# Disable user account
set-ADUser $disUser -enabled $false
write-host -f cyan "User account disabled..."
write-host -f yellow "      Please remember to move this user into the ""Disabled Users"" Sub-OU"
write-host
write-host
write-host

Open in new window

superDisable.txt
0
 
LVL 11

Expert Comment

by:hecgomrec
ID: 40009993
The trick in the script is the rename user password, also if you want it faster... go to the mailbox and disable or block the mobile devices he may have.

More... create a group for "Disabled users" and put the users here and remove it from any other group.
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 40014726
This is becoming overly complicated. As I stated previously, you only need to set the logon hours to denied for all time periods. This will immediately disconnect any active sessions and will not allow the user to authenticate again. There is no need to disable protocols or block devices.

-JJ
0
 
LVL 16

Assisted Solution

by:Enphyniti
Enphyniti earned 312 total points
ID: 40015391
@jjmck - if the user has authenticated via IIS prior to being disabled, your method will not prevent logon to OWA/OMA services until the token expires or until you bounce IIS.
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 40015428
@Enphyniti - Yes, it will prevent logon. When you set logon hours on the AD account, in conjunction with setting the Network security: Force logoff when logon hours expire policy, any open sessions are automatically terminated when the logon hours expire. If you set all hours to denied, the user will be logged out of any active sessions immediately. I've tested this extensively and it works.

-JJ
0
 
LVL 11

Expert Comment

by:hecgomrec
ID: 40015440
Well me I will try it... I never knew it will kill the user session... good to know ...  thanks!!
0
 

Author Comment

by:Jerry Seinfield
ID: 40015648
Hi @Enphynit and jjmck, please validate and confirm that when you set logon hours on the ad account all the OWA/OMA sessions will be terminated

btw, what do you mean by with setting the network security? can you be more specific?
0
 
LVL 37

Assisted Solution

by:Jamie McKillop
Jamie McKillop earned 125 total points
ID: 40015679
In your Default Domain Group Policy, under Computer Configuration / Policies / Windows Settings / Security Settings / Local Policies / Security Options / Network Security, set "Network Security: Force logoff when logon hours expire" to "Enabled".

If you set that policy then set the logon hours on an account to denied on all hours, any active OWA/OMA sessions will be terminated.

-JJ
0
 
LVL 16

Expert Comment

by:Enphyniti
ID: 40015719
Well I cannot speak for everyone, but I just disabled an account and set all logon hours to denied.

I waited 5 minutes, and then logged into OWA with that account and sent myself an email.
0
 

Author Comment

by:Jerry Seinfield
ID: 40015737
Thanks Everyone for all the support
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 40015739
Did you set this:

In your Default Domain Group Policy, under Computer Configuration / Policies / Windows Settings / Security Settings / Local Policies / Security Options / Network Security, set "Network Security: Force logoff when logon hours expire" to "Enabled".

Also, if you logged on AFTER you set all logon hours to denied, then you likely have an AD replication issue. We aren't talking about open sessions at that point. You are creating a new session, which you shouldn't be able to do if you are outside the allowed logon hours.

-JJ
0
 
LVL 16

Assisted Solution

by:Enphyniti
Enphyniti earned 312 total points
ID: 40015753
Yes, force logoff is enabled.  No AD replication issues.  I just logged into OWA right before I disabled the account and then logged off.

The issue is that IIS and OWA create a token for that user and assumes it's valid.  It caches that token and does not check AD for subsequent authentication requests until that token expires.  The same thing happens if you reset a users password - the old one will still work for OWA if they have an un-expired token on the IIS server.

to test:
1. login to OWA with test account
2. Log out of OWA
3, change test account password in AD
4. login to OWA using the old password.
0
 

Author Comment

by:Jerry Seinfield
ID: 40015773
Hi jjmk,

I would like to use the powershell script provided by Enphy, in conjunction with your proposed solution. Since I do not want to touch the default domain policy, would it be possible to create a new OU, moved the disabled users, and apply a new GPO to perform the following? Should we create a computer or user GPO?

n your Default Domain Group Policy, under Computer Configuration / Policies / Windows Settings / Security Settings / Local Policies / Security Options / Network Security, set "Network Security: Force logoff when logon hours expire" to "Enabled".
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 40015798
@Enphynit - Not sure what to tell you. I just tested again. I logged on to OWA with my test account then set the logon hours to denied. Within a couple of minutes, I was getting logon denied as I was clicking around in the mailbox. When the "Force logoff when logon hours expire" is set, the token will be revoked.

@febenitezc - Yes, you can create a separate group policy and set this at the OU level. This is a computer policy so it will need to be on the OU the computer is in.

-JJ
0
 
LVL 16

Accepted Solution

by:
Enphyniti earned 312 total points
ID: 40015960
Weird.  I guess chalk it up to the fact that the domain I'm working with began life at a 2000 functional level.  Maybe?


@febenitezc,

If you wanted to add blocking logon hours via powershell, you can add the following nearly anywhere:

[byte[]]$denyHours = @(0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0)
get-aduser $disUser | set-aduser -replace @{logonHours = $denyhours}
0
 

Author Comment

by:Jerry Seinfield
ID: 40016077
ok, I will post another question i n how to add blocking logon hours via powershell for users on a specific OU
0

Join & Write a Comment

Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now