How to limit an AD account - Misc questions - not sure how to ask this

I have a customer who needs to keep an AD User account active but remove all ability to have emails sent to this User, without deleting the mailbox or the User account, with the ability to undo what we did quickly.

Basically, a staff is on leave for an undetermined amount of time. In the meantime, I need to block all external access for the staff (easy to do by changing passwords and disabling remote acess) but also need to make sure any emails sent to the User are returned as invalid to the sender so they know to contact someone else, just as if they were terminated. We cannot delete the account or mailbox.

I have Disabled the User account but emails still route to the Inbox and the Out of Office reply is sent to the Sender. We do not want this as the Senders are not paying attention to the reply.  I have considered removing the email address from the User's AD account but am not sure if this will put the mailbox in a disconnected state, at which time I will need to monitor and make sure Exchange does not delete it following retention policies, since it is disconnected. I am in the process of backing up the mailbox to a PST in case anything is lost but I am sure another method is available - I just don't know what that method is.

Please advise on options native to Exchange and/ or AD to allow this, if possible.
LVL 14
Michael MachieIT SupervisorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

AmitIT ArchitectCommented:
Just give the fake email address to user mailbox. Disable automatic email address stamp setting. You need to use EMC or EMS to do this.


Just create another user, say test1 with a mailbox and merge the data of this user to new test1 mailbox and get rid of this one.
Will SzymkowskiSenior Solution ArchitectCommented:
Mail will ALWAYS go to the mailbox even if the AD Account is disabled. If you want to completely stop mail from going to the mailbox then you need to Disabled the mailbox. This basically put the mailbox in a Disconnected State. At which point it will no longer receive email.

However if you still need access to the mailbox directly the only other thing i would suggest is creating a Transport Rule and whenever anyone emails this mailbox send a reply back message stating whatever you want and you can even drop the message so that it does not go into the mailbox.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Lee W, MVPTechnology and Business Process AdvisorCommented:
You need to set the default e-mail address to something else.   Then add the user's original e-mail address to the user you want to receive her messages.  Optionally, create a distribution group (and turn off the out of office notification for the user) and assign the user's e-mail address to the distribution group and make sure the away user AND the person now responsible for that user's email are both members of the group - that will ensure that when the user returns, a copy of all messages received will be available.  Or you can delegate access to that mailbox and then have someone else responsible for checking it and responding to messages from it.  You'll have to adjust permissions on the mailbox to do this/share it.
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Michael MachieIT SupervisorAuthor Commented:
Good, very quick replies and info - thanks All.
I will review these options and see which one fits best. We will not forward email to someone else or have access to this box by someone else - we want it to replicate a non-existent account, but not actually terminate the staff or delete accounts.

@Amit: How do I change the email address stamp setting and what affect will that have globally?
@Will: This is kind of what I was thinking may be needed
@Lee: We do not want to grant access to this box to anyone else - that has been tried and is not working (the staff assigned are not keeping up with the emails so I was tasked with implementing another method to force Senders to reach out to someone else . They still say "We sent 'xx' the email!" and argue the point. With an 'Undeliverable' message to them we can at least say to the Senders, "You received a reply stating the address is invalid and the email was not delivered."
I was thinking to do as Will suggested, but before doing so, set the retention policy on deleted mailboxes to a year. Then remove the email address from the account, allow the mailbox to go into a disconnected state, and let it sit disconnected for up to one year. When they return I can reconnect the mailbox to the User. Aside from all disconnected mailboxes hanging around for a year, would this work? Would this cause issues with people replying to a previously sent email to this User, say a year down the road when it is reconnected to the re-enabled User account?      

Amit KumarCommented:
I think there is one more solution which is very easy to implement, create a transport rule that if e-mail is coming to that e-mail address then send a rejection message from saying e-mail address is invalid and also redirect that mail to another test mailbox in case of keeping all records if user returned and ask to provide all previous e-mails.
AmitIT ArchitectCommented:
Open user mailbox properties>Goto Email Address Tab>Below you will see one check box "Automatically update e-mail addresses based on recipient policy" uncheck it. Now edit current email address and change it to domain>Click apply>Ok.

this is going to effect only this user. Nothing else.
Lee W, MVPTechnology and Business Process AdvisorCommented:
I gave you three options and you only acknowledged one.

Since I what I wrote may not have been clear, when I said:
You need to set the default e-mail address to something else.   Then add the user's original e-mail address to the user you want to receive her messages.  Optionally, create a distribution group (and turn off the out of office notification for the user) and assign the user's e-mail address to the distribution group and make sure the away user AND the person now responsible for that user's email are both members of the group - that will ensure that when the user returns, a copy of all messages received will be available.  

I meant I would probably:
1. Create a Distribution Group in Exchange for "Users On Leave" - give it an email address like - this address will never be used given out intentionally.
2. give the on leave user an ADDITIONAL e-mail address - and set as primary.  (You may have to un-check the box to automatically update the users email address).
3. REMOVE the user's normal email address.
4. ADD the on leave user's email address to the list of e-mail addresses that apply to "Users On Leave"
5. Add the user on leave AND the other mailbox(es)/user(s) to the members of the Distribution group who you want to receive the on leave user's email.
Lee W, MVPTechnology and Business Process AdvisorCommented:
I do this for departed users at several clients - when someone is fired or leaves, I don't just delete the account, I alter the e-mail config and assign that person's email to a "departed users" distribution group and those in charge or covering them get all that person's email.
AmitIT ArchitectCommented:
Lee Changing email address is the easiest way. Lot of company don't allow to create DL for such small request.
Michael MachieIT SupervisorAuthor Commented:
Thanks All!

@Amit: I appreciate the extra info. I thought that may be it but wanted to be sure.
@Amit Kumar Goyal: Thanks for the comment. I believe this is what Will was stating in the second half of his comment, and is an interesting idea.
@Lee: Thank you very much for the clarification. This definitely is a possibility moving forward and would probably work.

A few people mentioned the Transport Rule option, and that is probably the way to go. Will this affect the ability for people to reply to emails sent from this User's mailbox by selecting 'Reply' when the User returns? Or will it be fine and dandy? Seems like it should be fine.
Lee W, MVPTechnology and Business Process AdvisorCommented:

Look at the context of the question - if a company were big enough to have such a rule, they'd most likely have procedures and understanding to cover this already and the question wouldn't have been asked.
Amit KumarCommented:
See as you are not changing anything on user's account so nothing will be changed, when user is back disable this transport rule and everything will be fine without any issue.

one more thing if you want to deliver all e-mails to user's account then get consent from reporting manger of user and reset the password then disable out of office. so at least sender will not get OOF notification.
Amit KumarCommented:
Transport rules take a small time to replicate things, you can apply transport rules mails coming from outside or org or inside of org. or all e-mails. you can just initiate force replication of AD it will be replicated instantly.
Will SzymkowskiSenior Solution ArchitectCommented:
The transport rule will affect who ever you want it to affect. You can specifically only have external users get auto replys or you have configure both internal and external or even just to a specific user if you choose. This is entirely up to you.

And as for the changing the primary SMTP to something ambigious is not a good practice. The most appropriate method would be a transport rule, as i have originally stated, in my first post.

Michael MachieIT SupervisorAuthor Commented:
Thanks for the updates to my questions. I have meetings all afternoon and will check out the transport rule option first.

Again, I appreciate all of the helpful and quick responses.

Update to follow in a day or two.
Michael MachieIT SupervisorAuthor Commented:
Thanks to all of you. I went through all scenarios and chose the best option for this scenario.

Much appreciation to all of you!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.