Solved

Repeatedly same Disabled user accounts in Exchange 2010 about every 6 months.

Posted on 2015-02-12
6
106 Views
Last Modified: 2015-04-21
We are running exchange 2010 and for some strange reason about every 4 to 6 months I have about 15 to 20 users accounts are disabled. They get the message when logging into their web mail that their account is disabled. I then go to exchange management console and look under disconnected mailbox and i see these
account listed here. I disable their accounts and once i do that i can go back to disconnected mailbox and find their accounts and reconnect it to that user and everything is fine again until this happens again in about 4 to 6 months.


Thanks,
0
Comment
Question by:Jre19611
  • 3
  • 2
6 Comments
 
LVL 31

Accepted Solution

by:
Gareth Gudger earned 500 total points
ID: 40605749
You may want to check the Admin Audit Log around the time this happens. It may indicate what account this is occurring under. Be default the Admin Audit Log goes back 90 days.

From EMS you can run Search-AdminAuditLog

For example these will determine who has run these commands in the last 90 days.
Search-AdminAuditLog -Cmdlets Disable-Mailbox
Search-AdminAuditLog -Cmdlets Remove-Mailbox


You can also use the -StartDate 02/10/15 and -EndDate 02/12/15 parameters to narrow down to a time period in question.

More info on the Admin Audit Log here.
https://technet.microsoft.com/en-us/library/ff459250(v=exchg.150).aspx

If you need to configure logging settings on this you can also check out
Get-AdminAuditLogConfig and Set-AdminAuditLogConfig.

For example: Search-AdminAuditLog -Cmdlets Disable-Mailbox -StartDate 02/10/15

You don't actually need to specify both. If you do just -StartDate it goes from that date to the last entry in the log. And vice versa with end date.

Lastly, if you have Audit Account Management configured in Active Directory you can check your Security Logs on your DCs to see if anyone has modified the users accounts themselves.

More info on that here.
https://technet.microsoft.com/en-us/library/cc737542(v=ws.10).aspx
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40605925
Do you have any scripts that are running that are tied to a scheduled task for cleanup purposes?
Because you are saying this only happens every 3-4 months seems like there is some process running that is doing this disabling of the mailbox.

Will.
0
 

Author Comment

by:Jre19611
ID: 40605972
This is what I get after running the command:   Search-AdminAuditLog -Cmdlets Disable-Mailbox

Caller             : Test.West.edu/Faculty/John Doe "Example"
Succeeded          : True
Error              : None
RunDate            : 2/11/2015 7:12:56 AM
OriginatingServer  : EXCHANGE (14.03.0224.001)
Identity           : RgAAAAAwxQ0roP2HQaUdFzC6NfNcBwCgebiJKPEBTYcE68lyn6+9AAAAtCvQAACgebiJKPEBTYcE68lyn6+9AAAn3yoVAAAJ
IsValid            : True
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:Jre19611
ID: 40605975
I have looked for any scripts that I may have and I do not see any. Maybe I am looking in the wrong place. Any suggestions on where to look for them?
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40605977
The script really could be launched from any machine that has admin access to this. I would check servers and also laptops/desktops of admins that have access.

Will.
0
 

Author Comment

by:Jre19611
ID: 40606083
Question: After running the above command"Search-AdminAuditLog -Cmdlets Disable-Mailbox" i noticed that the identity shows up as RgAAAAAwxQ0roP2HQaUdFzC6NfNcBwCgebiJKPEBTYcE68lyn6+9AAAAtCvQAACgebiJKPEBTYcE68lyn6+9AAAn3yoVAAAJ

what or who is this?

Anyideas?
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
Find out what you should include to make the best professional email signature for your organization.
The viewer will learn how to create a normally distributed random variable in Excel, use a normal distribution to simulate the return on an investment over a period of years, Create a Monte Carlo simulation using a normal random variable, and calcul…
This video discusses moving either the default database or any database to a new volume.

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

25 Experts available now in Live!

Get 1:1 Help Now