Solved

Repeatedly same Disabled user accounts in Exchange 2010 about every 6 months.

Posted on 2015-02-12
6
128 Views
Last Modified: 2015-04-21
We are running exchange 2010 and for some strange reason about every 4 to 6 months I have about 15 to 20 users accounts are disabled. They get the message when logging into their web mail that their account is disabled. I then go to exchange management console and look under disconnected mailbox and i see these
account listed here. I disable their accounts and once i do that i can go back to disconnected mailbox and find their accounts and reconnect it to that user and everything is fine again until this happens again in about 4 to 6 months.


Thanks,
0
Comment
Question by:Jre19611
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 31

Accepted Solution

by:
Gareth Gudger earned 500 total points
ID: 40605749
You may want to check the Admin Audit Log around the time this happens. It may indicate what account this is occurring under. Be default the Admin Audit Log goes back 90 days.

From EMS you can run Search-AdminAuditLog

For example these will determine who has run these commands in the last 90 days.
Search-AdminAuditLog -Cmdlets Disable-Mailbox
Search-AdminAuditLog -Cmdlets Remove-Mailbox


You can also use the -StartDate 02/10/15 and -EndDate 02/12/15 parameters to narrow down to a time period in question.

More info on the Admin Audit Log here.
https://technet.microsoft.com/en-us/library/ff459250(v=exchg.150).aspx

If you need to configure logging settings on this you can also check out
Get-AdminAuditLogConfig and Set-AdminAuditLogConfig.

For example: Search-AdminAuditLog -Cmdlets Disable-Mailbox -StartDate 02/10/15

You don't actually need to specify both. If you do just -StartDate it goes from that date to the last entry in the log. And vice versa with end date.

Lastly, if you have Audit Account Management configured in Active Directory you can check your Security Logs on your DCs to see if anyone has modified the users accounts themselves.

More info on that here.
https://technet.microsoft.com/en-us/library/cc737542(v=ws.10).aspx
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40605925
Do you have any scripts that are running that are tied to a scheduled task for cleanup purposes?
Because you are saying this only happens every 3-4 months seems like there is some process running that is doing this disabling of the mailbox.

Will.
0
 

Author Comment

by:Jre19611
ID: 40605972
This is what I get after running the command:   Search-AdminAuditLog -Cmdlets Disable-Mailbox

Caller             : Test.West.edu/Faculty/John Doe "Example"
Succeeded          : True
Error              : None
RunDate            : 2/11/2015 7:12:56 AM
OriginatingServer  : EXCHANGE (14.03.0224.001)
Identity           : RgAAAAAwxQ0roP2HQaUdFzC6NfNcBwCgebiJKPEBTYcE68lyn6+9AAAAtCvQAACgebiJKPEBTYcE68lyn6+9AAAn3yoVAAAJ
IsValid            : True
0
Major Incident Management Communications

Major incidents and IT service outages cost companies millions. Often the solution to minimizing damage is automated communication. Find out more in our Major Incident Management Communications infographic.

 

Author Comment

by:Jre19611
ID: 40605975
I have looked for any scripts that I may have and I do not see any. Maybe I am looking in the wrong place. Any suggestions on where to look for them?
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40605977
The script really could be launched from any machine that has admin access to this. I would check servers and also laptops/desktops of admins that have access.

Will.
0
 

Author Comment

by:Jre19611
ID: 40606083
Question: After running the above command"Search-AdminAuditLog -Cmdlets Disable-Mailbox" i noticed that the identity shows up as RgAAAAAwxQ0roP2HQaUdFzC6NfNcBwCgebiJKPEBTYcE68lyn6+9AAAAtCvQAACgebiJKPEBTYcE68lyn6+9AAAn3yoVAAAJ

what or who is this?

Anyideas?
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
After hours on line I found a solution which pointed to the inherited Active Directory permissions . You have to give/allow permissions to the "Exchange trusted subsystem" for the user in the Active Directory...
The view will learn how to download and install SIMTOOLS and FORMLIST into Excel, how to use SIMTOOLS to generate a Monte Carlo simulation of 30 sales calls, and how to calculate the conditional probability based on the results of the Monte Carlo …
The viewer will learn how to create two correlated normally distributed random variables in Excel, use a normal distribution to simulate the return on different levels of investment in each of the two funds over a period of ten years, and, create a …

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question