Solved

Repeatedly same Disabled user accounts in Exchange 2010 about every 6 months.

Posted on 2015-02-12
6
132 Views
Last Modified: 2015-04-21
We are running exchange 2010 and for some strange reason about every 4 to 6 months I have about 15 to 20 users accounts are disabled. They get the message when logging into their web mail that their account is disabled. I then go to exchange management console and look under disconnected mailbox and i see these
account listed here. I disable their accounts and once i do that i can go back to disconnected mailbox and find their accounts and reconnect it to that user and everything is fine again until this happens again in about 4 to 6 months.


Thanks,
0
Comment
Question by:Jre19611
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 31

Accepted Solution

by:
Gareth Gudger earned 500 total points
ID: 40605749
You may want to check the Admin Audit Log around the time this happens. It may indicate what account this is occurring under. Be default the Admin Audit Log goes back 90 days.

From EMS you can run Search-AdminAuditLog

For example these will determine who has run these commands in the last 90 days.
Search-AdminAuditLog -Cmdlets Disable-Mailbox
Search-AdminAuditLog -Cmdlets Remove-Mailbox


You can also use the -StartDate 02/10/15 and -EndDate 02/12/15 parameters to narrow down to a time period in question.

More info on the Admin Audit Log here.
https://technet.microsoft.com/en-us/library/ff459250(v=exchg.150).aspx

If you need to configure logging settings on this you can also check out
Get-AdminAuditLogConfig and Set-AdminAuditLogConfig.

For example: Search-AdminAuditLog -Cmdlets Disable-Mailbox -StartDate 02/10/15

You don't actually need to specify both. If you do just -StartDate it goes from that date to the last entry in the log. And vice versa with end date.

Lastly, if you have Audit Account Management configured in Active Directory you can check your Security Logs on your DCs to see if anyone has modified the users accounts themselves.

More info on that here.
https://technet.microsoft.com/en-us/library/cc737542(v=ws.10).aspx
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40605925
Do you have any scripts that are running that are tied to a scheduled task for cleanup purposes?
Because you are saying this only happens every 3-4 months seems like there is some process running that is doing this disabling of the mailbox.

Will.
0
 

Author Comment

by:Jre19611
ID: 40605972
This is what I get after running the command:   Search-AdminAuditLog -Cmdlets Disable-Mailbox

Caller             : Test.West.edu/Faculty/John Doe "Example"
Succeeded          : True
Error              : None
RunDate            : 2/11/2015 7:12:56 AM
OriginatingServer  : EXCHANGE (14.03.0224.001)
Identity           : RgAAAAAwxQ0roP2HQaUdFzC6NfNcBwCgebiJKPEBTYcE68lyn6+9AAAAtCvQAACgebiJKPEBTYcE68lyn6+9AAAn3yoVAAAJ
IsValid            : True
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 

Author Comment

by:Jre19611
ID: 40605975
I have looked for any scripts that I may have and I do not see any. Maybe I am looking in the wrong place. Any suggestions on where to look for them?
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40605977
The script really could be launched from any machine that has admin access to this. I would check servers and also laptops/desktops of admins that have access.

Will.
0
 

Author Comment

by:Jre19611
ID: 40606083
Question: After running the above command"Search-AdminAuditLog -Cmdlets Disable-Mailbox" i noticed that the identity shows up as RgAAAAAwxQ0roP2HQaUdFzC6NfNcBwCgebiJKPEBTYcE68lyn6+9AAAAtCvQAACgebiJKPEBTYcE68lyn6+9AAAn3yoVAAAJ

what or who is this?

Anyideas?
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Check out this step-by-step guide for using the newly updated Experts Exchange mobile app—released on May 30.
A couple of months ago we ran into an issue that necessitated re-creating our Edge Subscriptions. However, when we attempted to execute the command: New-EdgeSubscription -filename C:\NewEdgeSub_01.xml we received an error indicating that the LDAP se…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question