Solved

Repeatedly same Disabled user accounts in Exchange 2010 about every 6 months.

Posted on 2015-02-12
6
112 Views
Last Modified: 2015-04-21
We are running exchange 2010 and for some strange reason about every 4 to 6 months I have about 15 to 20 users accounts are disabled. They get the message when logging into their web mail that their account is disabled. I then go to exchange management console and look under disconnected mailbox and i see these
account listed here. I disable their accounts and once i do that i can go back to disconnected mailbox and find their accounts and reconnect it to that user and everything is fine again until this happens again in about 4 to 6 months.


Thanks,
0
Comment
Question by:Jre19611
  • 3
  • 2
6 Comments
 
LVL 31

Accepted Solution

by:
Gareth Gudger earned 500 total points
ID: 40605749
You may want to check the Admin Audit Log around the time this happens. It may indicate what account this is occurring under. Be default the Admin Audit Log goes back 90 days.

From EMS you can run Search-AdminAuditLog

For example these will determine who has run these commands in the last 90 days.
Search-AdminAuditLog -Cmdlets Disable-Mailbox
Search-AdminAuditLog -Cmdlets Remove-Mailbox


You can also use the -StartDate 02/10/15 and -EndDate 02/12/15 parameters to narrow down to a time period in question.

More info on the Admin Audit Log here.
https://technet.microsoft.com/en-us/library/ff459250(v=exchg.150).aspx

If you need to configure logging settings on this you can also check out
Get-AdminAuditLogConfig and Set-AdminAuditLogConfig.

For example: Search-AdminAuditLog -Cmdlets Disable-Mailbox -StartDate 02/10/15

You don't actually need to specify both. If you do just -StartDate it goes from that date to the last entry in the log. And vice versa with end date.

Lastly, if you have Audit Account Management configured in Active Directory you can check your Security Logs on your DCs to see if anyone has modified the users accounts themselves.

More info on that here.
https://technet.microsoft.com/en-us/library/cc737542(v=ws.10).aspx
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40605925
Do you have any scripts that are running that are tied to a scheduled task for cleanup purposes?
Because you are saying this only happens every 3-4 months seems like there is some process running that is doing this disabling of the mailbox.

Will.
0
 

Author Comment

by:Jre19611
ID: 40605972
This is what I get after running the command:   Search-AdminAuditLog -Cmdlets Disable-Mailbox

Caller             : Test.West.edu/Faculty/John Doe "Example"
Succeeded          : True
Error              : None
RunDate            : 2/11/2015 7:12:56 AM
OriginatingServer  : EXCHANGE (14.03.0224.001)
Identity           : RgAAAAAwxQ0roP2HQaUdFzC6NfNcBwCgebiJKPEBTYcE68lyn6+9AAAAtCvQAACgebiJKPEBTYcE68lyn6+9AAAn3yoVAAAJ
IsValid            : True
0
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

 

Author Comment

by:Jre19611
ID: 40605975
I have looked for any scripts that I may have and I do not see any. Maybe I am looking in the wrong place. Any suggestions on where to look for them?
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40605977
The script really could be launched from any machine that has admin access to this. I would check servers and also laptops/desktops of admins that have access.

Will.
0
 

Author Comment

by:Jre19611
ID: 40606083
Question: After running the above command"Search-AdminAuditLog -Cmdlets Disable-Mailbox" i noticed that the identity shows up as RgAAAAAwxQ0roP2HQaUdFzC6NfNcBwCgebiJKPEBTYcE68lyn6+9AAAAtCvQAACgebiJKPEBTYcE68lyn6+9AAAn3yoVAAAJ

what or who is this?

Anyideas?
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Exchange 2010, Implementing On-Prem Archiving 3 28
Exchange - Retention Policy 4 34
Recycle MSExchnge powershell app Pool 2 18
Mac OSX Mail client and Exchange 5 38
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question