Exchange, GAL, AD, disabled users, several questions
Our environment is Windows Server 2012 R2 domain @ 2008 DFL/FFL with Exchange 2013.
When we disable a user in AD, email does not bounce and I would expect it to. I think it's because we are at 2008 DFL/FFL. To test this, I logged into another domain I manage that is 2012 R2 DFL/FFL and tested. When I disable users there, the mail bounces.
In my 2008 DFL/FFL I have to manually disable the mailbox before mail bounces.
So, my question is, is something broken? In a 2008 DFL/FFL domain with Exchange 2013, should mail bounce when a user is disabled in AD? Must I manually disable the mailbox as well? Why? This seems counter intuitive as I clearly recall disabling a user in AD killed access to everything in earlier versions of Windows.
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
I'm sorry to be a pain, but I have a domain that is 2012 R2 and Exchange 2013. When I disable the user in AD, mail bounces immediately without having to interact with Exchange.
In the domain that is the subject of this post, that does not happen.
That "difference" has me confused. In all previous domains I have managed with say 2008 and exchange 2010, disabling the AD account also bounces the mail.
Amit Kumar
No it can't be true as I have Exchange 2010 with 2008 R2 and we have lot of accounts disabled but mailbox are live and mails are not bouncing back.
Do one thing, when you disable AD account in Windows 2012 R2 domain with Exchange 2013.. try to search if mailbox exists?
you can use EAC or try below command:
get-mailbox -id UserName | ft Name,SamaccountName,PrimarySMTPAddress
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Camy
For the domain that you get the NDR messages for - is there any transport rules setup?
Could you maybe post the exact NDR message you are getting?
crp0499
ASKER
I understand your wonder. I'm wondering too. In domain one, when I disable the user in AD, mail bounces immediately, but the user still shows in the GAL. My NDR says the user does not exist.
In domain two, when I disable the user, the mail does not bounce. It's really got me baffled.
crp0499
ASKER
Camy, no transport rules. The NDR says the user does not exit for the domain that is working properly.
Unlimited question asking, solutions, articles and more.
Amit Kumar
If NDR says user does not exist means you are disabling Mailbox not account from AD. Please explain steps you do to disable account in Windows 2012 + Exchange 2013
crp0499
ASKER
Amit, I that's my point, I am ONLY going into AD and right clicking user and disabling the account. I am not disabling the mailbox.
That works as expected in my test domain.
In my real domain, when I disable the user, the mail does not bounce. To me, that is wrong and that is what I'm trying to figure out.
Camy
Until you figure it out it might also be worth considering why it works as you expect in the test domain given our expectation that it's actually the real domain that is "working correctly". This might help understand what is going on so you can configure the real domain as you wish.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
crp0499
ASKER
Well, in my idle time, I hit two more domains that I manage and it works the same there. Disabling a user in AD, bounces the email.
I mean if you think about it, that's how it should work and that's the only way I've ever seen it work. To think that I can have a mailbox attached to a disabled user still receive email is just crazy. This really has me stumped.
I guess to spin it the other way, to think that I have to go to two places to kill a user is just nuts.
Amit Kumar
Before anything this is just to be clear that if Account is disabled in AD and mailbox is live then mail won't get bounced. This is what Exchange works
crp0499
ASKER
Amit, I completely understand what you are saying, hence my post.
I have logged into three domains I manage...all running 2012 R2 and Exchange 2013 and when I disable a user in AD, mail bounces.
I am onsite with a 2012 R2 domain and Exchange 2013 and when I disable a user, mail does not bounce. The ONLY difference is all three domains working as they should are all 2012 R2 DFL/FFL. The one domain NOT working right is 2008 DFL/FFL.
Unlimited question asking, solutions, articles and more.
Amit Kumar
Can you more explain about DFL/FFL
crp0499
ASKER
Domain Functional Level and Forest Functional Level
In the domains where the DFL and FFL are 2012 R2, disabling a user in AD causes mail to bounce. Verified on three diff domains.
In the domain where DFL and FFL is 2008 only, this is not the case. I have to disable in both places.
Camy
Amit mentioned about but what do the mailboxes look like in Exchange after you disabled the user account? Visible? Disconnected?
Maybe i'm just showing my ignorance of 2012 compared to earlier versions but think i'm a bit stumped!
I know you said the only difference was the DFL/FFL but Exchange patched to the same level on the domains too?
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
crp0499
ASKER
Patch levels might be off by a bit, but pretty close.
In all four domains, they mailboxes show enabled.
The site I am at right now, the one that's not working like I think it should, the mailbox shows enabled, but the user is disabled in AD and mail does not bounce.
In the other three sites, the user is disabled, the mailbox is enabled, but mail bounces. The NDR says the user does not exist, which is correct and what I expect. IF the user is disabled in AD, then the user should not get mail or access to any other AD related resources. This is how it works in every domain I've even set up.
Now I arrive here today to this domain, which I did not set up, and I can send mail to any disabled user and I get no bounce. That's just crazy. I'm going to up the DFL/FFL here and see if that makes a difference.
Unlimited question asking, solutions, articles and more.
Camy
Glad you got to the bottom of it and i'll keep that in mind for the future.
I suspect i might Google this another couple of times to see if i can find any more information on it!
crp0499
ASKER
Camy - yes! It's VERY confusing for me as EVERYONE on the planet tells me that's not right. Everyone says I have to disable in two places, both AD and the mailbox so I'm really freaking out, but at least I'm getting consistent performance across the board.
https://social.technet.microsoft.com/Forums/en-US/79ad6811-de01-4e94-8703-b76af7a305e5/how-to-prevent-disabled-ad-accounts-from-receiving-mails-in-exchange-2010?forum=exchange2010