Solved

Repeatedly same Disabled user accounts in Exchange 2010 about every 6 months.

Posted on 2015-02-12
6
95 Views
Last Modified: 2015-04-21
We are running exchange 2010 and for some strange reason about every 4 to 6 months I have about 15 to 20 users accounts are disabled. They get the message when logging into their web mail that their account is disabled. I then go to exchange management console and look under disconnected mailbox and i see these
account listed here. I disable their accounts and once i do that i can go back to disconnected mailbox and find their accounts and reconnect it to that user and everything is fine again until this happens again in about 4 to 6 months.


Thanks,
0
Comment
Question by:Jre19611
  • 3
  • 2
6 Comments
 
LVL 30

Accepted Solution

by:
Gareth Gudger earned 500 total points
Comment Utility
You may want to check the Admin Audit Log around the time this happens. It may indicate what account this is occurring under. Be default the Admin Audit Log goes back 90 days.

From EMS you can run Search-AdminAuditLog

For example these will determine who has run these commands in the last 90 days.
Search-AdminAuditLog -Cmdlets Disable-Mailbox
Search-AdminAuditLog -Cmdlets Remove-Mailbox


You can also use the -StartDate 02/10/15 and -EndDate 02/12/15 parameters to narrow down to a time period in question.

More info on the Admin Audit Log here.
https://technet.microsoft.com/en-us/library/ff459250(v=exchg.150).aspx

If you need to configure logging settings on this you can also check out
Get-AdminAuditLogConfig and Set-AdminAuditLogConfig.

For example: Search-AdminAuditLog -Cmdlets Disable-Mailbox -StartDate 02/10/15

You don't actually need to specify both. If you do just -StartDate it goes from that date to the last entry in the log. And vice versa with end date.

Lastly, if you have Audit Account Management configured in Active Directory you can check your Security Logs on your DCs to see if anyone has modified the users accounts themselves.

More info on that here.
https://technet.microsoft.com/en-us/library/cc737542(v=ws.10).aspx
0
 
LVL 53

Expert Comment

by:Will Szymkowski
Comment Utility
Do you have any scripts that are running that are tied to a scheduled task for cleanup purposes?
Because you are saying this only happens every 3-4 months seems like there is some process running that is doing this disabling of the mailbox.

Will.
0
 

Author Comment

by:Jre19611
Comment Utility
This is what I get after running the command:   Search-AdminAuditLog -Cmdlets Disable-Mailbox

Caller             : Test.West.edu/Faculty/John Doe "Example"
Succeeded          : True
Error              : None
RunDate            : 2/11/2015 7:12:56 AM
OriginatingServer  : EXCHANGE (14.03.0224.001)
Identity           : RgAAAAAwxQ0roP2HQaUdFzC6NfNcBwCgebiJKPEBTYcE68lyn6+9AAAAtCvQAACgebiJKPEBTYcE68lyn6+9AAAn3yoVAAAJ
IsValid            : True
0
Why do Marketing keep bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

 

Author Comment

by:Jre19611
Comment Utility
I have looked for any scripts that I may have and I do not see any. Maybe I am looking in the wrong place. Any suggestions on where to look for them?
0
 
LVL 53

Expert Comment

by:Will Szymkowski
Comment Utility
The script really could be launched from any machine that has admin access to this. I would check servers and also laptops/desktops of admins that have access.

Will.
0
 

Author Comment

by:Jre19611
Comment Utility
Question: After running the above command"Search-AdminAuditLog -Cmdlets Disable-Mailbox" i noticed that the identity shows up as RgAAAAAwxQ0roP2HQaUdFzC6NfNcBwCgebiJKPEBTYcE68lyn6+9AAAAtCvQAACgebiJKPEBTYcE68lyn6+9AAAn3yoVAAAJ

what or who is this?

Anyideas?
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
how to add IIS SMTP to handle application/Scanner relays into office 365.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now