How to delete Exchange mailboxes associated with disabled AD accounts

Use Disable-Mailbox to disconnect mailbox from AD account. Once command is complete, the mailboxes will be in disconnected stat and then will be purged by exchange based on the retention policy.

Disable-Mailbox UserA

Select allOpen in new window

To disable mailbox for all users in a OU

Get-Mailbox -OrganizationalUnit "corp.lab.com/Test/Users/AZ" | Disable-Mailbox 

Select allOpen in new window

Any gotchas?

If users have additional email addressed other than the standard email address policy then, export the of email addresses details before you delete, so in case, if you need to reconnect then then you can assign the email addresses from the backup.

Get-Mailbox -OrganizationalUnit "corp.lab.com/Test/Users/AZ" | Select-Object DisplayName,Database,PrimarySmtpAddress, @{N="EmailAddresses";E={$_.EmailAddresses |? {$_.PrefixString -ceq "smtp"}}} | Export-csv C:\report.csv -nti

Select allOpen in new window

Check if users have email forwarding enabled, if yes, you might need to confirm if it's still used.

Get-Mailbox -OrganizationalUnit "corp.lab.com/Test/Users/AZ" | Select DisplayName,ForwardingAddress | where {$_.ForwardingAddress -ne $Null}

Select allOpen in new window

Mailbox data will be in disconnected state till the retention period, so incase you get a request, you should be able to reconnect.

Subsun,
They want to disable the mailboxes on all disabled AD accounts, therefore

Get-Aduser -filter "Enabled -eq 'False'" | Disable-Mailbox

I don't recommend to delete mailboxes for all disabled accounts, this may cause unexpected issues. For example Shared Mailboxes are connected to disabled accounts. Ideally in every environment, the disabled user accounts will be moved to a specific OU and keep it for certain time period before deletion. So better to limit the search to such disabled user OU while disabling the mailboxes.

Subsun, Foxluv,
Thanks for your replies.  Foxluv is correct, we are trying to disable mailboxes of disabled AD accounts only.

Foxluv, When we try yours above (without the pipe to Disable-Mailbox, just to see what it gave us), we get a message saying that Get-Aduser is not a valid cmdlet.  We are doing this in the Exchange Powershell.

Subsun, we do not follow completely.  If you move a disabled AD account to a specific OU for a period of time, then disable the mailbox later, it will still be part of any shared mailbox, so how is it any different?

Here is what we have come up with so far on our own:

Get-User -RecipientTypeDetails UserMailbox -ResultSize Unlimited | where {$_.UseraccountControl -like "*accountdisabled*"} | Disable-Mailbox -Confirm:$False

Select allOpen in new window

Comments?

Thank you!

Are you running the shell (as administrator)?  Secondly in Exchange managment shell run the command
Import-Module ActiveDirectory
and try the command again

Better to use input txt file with usernames you want to disable in your script. This way you will not cause issues for Shared mailbox as pointed by @Subsun.

Subsun, we do not follow completely.  If you move a disabled AD account to a specific OU for a period of time, then disable the mailbox later, it will still be part of any shared mailbox, so how is it any different?

If you don't have any such termination policy for user accounts, moving all disabled accounts to a single OU is not a good idea..

Your command should work. but I would suggest you to export details of all disabled users and mailboxes before you proceed with the disable mailbox.

Don't confuse Enabled accounts with UserAccountControl(security)- your syntax will be the below

Get-User -RecipientTypeDetails UserMailbox -ResultSize Unlimited | where {$_.Enabled -eq"False"} | Disable-Mailbox -Confirm:$False

Amit, thanks for chiming in. Would you be able to give us an example of what that process would look like at the command line?

@breichard, Your command should work and wont affect the shared mailboxes as you are filtering usermailbox. But as a safe measure, as I mentioned earlier. Export the details and validate it before you proceed with delete/diable.

After disabling mailbox, you wont be able to find the users email addresses if you don't have a backup. but if you are not bothered about reconnecting them then you can go ahead..

Subsun, how would you recommend we do the export of the details?

Thanks,
Bob

details
Get-User -filter "Enabled -eq 'False'" |ft samaccountname,enabled,emailaddress,givenname,surname

If you know the OU where you have disabled account. Create an query in AD and then export the result. You need alias name in your input file.  Check below articles.

http://www.ntweekly.com/?p=2509

https://deangrant.wordpress.com/2013/10/08/bulk-disable-mailboxes-in-exchange-2010/

If count of user is not high, type it manually in the input file, only alias name.

We ran the following as a test, and got no output:

Get-User -RecipientTypeDetails UserMailbox -ResultSize Unlimited | where {$_.Enabled -eq"False"} | Disable-Mailbox -WhatIf

When we ran it before with where {$_.UseraccountControl -like "*accountdisabled*"}  we got a lot of output like:


So it seems like foxluv's suggestion for change where {$_.Enabled -eq"False"} isn't finding anything?  Or is it normal for no output?

What version of Exchange are you using.  Your syntax is correct if that is the Whatif results

Foxluv,


returned:

Ok, great export, thank you Subsun.  We have those saved now.  So, it sounds like we are good to go with


Thank you all so much for your help.

One quick follow up.  After running the above command, the mailboxes don't show up in Recipient Configuration\Disconnected Mailbox.  We refreshed, and even restarted the Exchange Mgmt Console, but they're still not there.  Where do we find them?  There are a couple we actually need to reconnect.

Thanks,
Bob

You need to run clean-mailboxdatabase  or wait for information store cache to clear..

Thanks again for your help.