breichard
asked on
How to delete Exchange mailboxes associated with disabled AD accounts
Hi, we are needing a script to delete the mailbox associated with disabled AD accounts. We need to keep the disabled AD accounts. Is there anything else we should consider in this? Any gotchas?
Thanks,
Bob
Thanks,
Bob
Subsun,
They want to disable the mailboxes on all disabled AD accounts, therefore
Get-Aduser -filter "Enabled -eq 'False'" | Disable-Mailbox
They want to disable the mailboxes on all disabled AD accounts, therefore
Get-Aduser -filter "Enabled -eq 'False'" | Disable-Mailbox
I don't recommend to delete mailboxes for all disabled accounts, this may cause unexpected issues. For example Shared Mailboxes are connected to disabled accounts. Ideally in every environment, the disabled user accounts will be moved to a specific OU and keep it for certain time period before deletion. So better to limit the search to such disabled user OU while disabling the mailboxes.
ASKER
Subsun, Foxluv,
Thanks for your replies. Foxluv is correct, we are trying to disable mailboxes of disabled AD accounts only.
Foxluv, When we try yours above (without the pipe to Disable-Mailbox, just to see what it gave us), we get a message saying that Get-Aduser is not a valid cmdlet. We are doing this in the Exchange Powershell.
Subsun, we do not follow completely. If you move a disabled AD account to a specific OU for a period of time, then disable the mailbox later, it will still be part of any shared mailbox, so how is it any different?
Here is what we have come up with so far on our own:
Comments?
Thank you!
Thanks for your replies. Foxluv is correct, we are trying to disable mailboxes of disabled AD accounts only.
Foxluv, When we try yours above (without the pipe to Disable-Mailbox, just to see what it gave us), we get a message saying that Get-Aduser is not a valid cmdlet. We are doing this in the Exchange Powershell.
Subsun, we do not follow completely. If you move a disabled AD account to a specific OU for a period of time, then disable the mailbox later, it will still be part of any shared mailbox, so how is it any different?
Here is what we have come up with so far on our own:
Get-User -RecipientTypeDetails UserMailbox -ResultSize Unlimited | where {$_.UseraccountControl -like "*accountdisabled*"} | Disable-Mailbox -Confirm:$False
Comments?
Thank you!
Are you running the shell (as administrator)? Secondly in Exchange managment shell run the command
Import-Module ActiveDirectory
and try the command again
Import-Module ActiveDirectory
and try the command again
Better to use input txt file with usernames you want to disable in your script. This way you will not cause issues for Shared mailbox as pointed by @Subsun.
Subsun, we do not follow completely. If you move a disabled AD account to a specific OU for a period of time, then disable the mailbox later, it will still be part of any shared mailbox, so how is it any different?If you don't have any such termination policy for user accounts, moving all disabled accounts to a single OU is not a good idea..
Your command should work. but I would suggest you to export details of all disabled users and mailboxes before you proceed with the disable mailbox.
Don't confuse Enabled accounts with UserAccountControl(securit y)- your syntax will be the below
Get-User -RecipientTypeDetails UserMailbox -ResultSize Unlimited | where {$_.Enabled -eq"False"} | Disable-Mailbox -Confirm:$False
Get-User -RecipientTypeDetails UserMailbox -ResultSize Unlimited | where {$_.Enabled -eq"False"} | Disable-Mailbox -Confirm:$False
ASKER
Amit, thanks for chiming in. Would you be able to give us an example of what that process would look like at the command line?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
@breichard, Your command should work and wont affect the shared mailboxes as you are filtering usermailbox. But as a safe measure, as I mentioned earlier. Export the details and validate it before you proceed with delete/diable.
After disabling mailbox, you wont be able to find the users email addresses if you don't have a backup. but if you are not bothered about reconnecting them then you can go ahead..
After disabling mailbox, you wont be able to find the users email addresses if you don't have a backup. but if you are not bothered about reconnecting them then you can go ahead..
ASKER
Subsun, how would you recommend we do the export of the details?
Thanks,
Bob
Thanks,
Bob
details
Get-User -filter "Enabled -eq 'False'" |ft samaccountname,enabled,ema iladdress, givenname, surname
Get-User -filter "Enabled -eq 'False'" |ft samaccountname,enabled,ema
If you know the OU where you have disabled account. Create an query in AD and then export the result. You need alias name in your input file. Check below articles.
http://www.ntweekly.com/?p=2509
https://deangrant.wordpress.com/2013/10/08/bulk-disable-mailboxes-in-exchange-2010/
If count of user is not high, type it manually in the input file, only alias name.
http://www.ntweekly.com/?p=2509
https://deangrant.wordpress.com/2013/10/08/bulk-disable-mailboxes-in-exchange-2010/
If count of user is not high, type it manually in the input file, only alias name.
ASKER
We ran the following as a test, and got no output:
Get-User -RecipientTypeDetails UserMailbox -ResultSize Unlimited | where {$_.Enabled -eq"False"} | Disable-Mailbox -WhatIf
When we ran it before with where {$_.UseraccountControl -like "*accountdisabled*"} we got a lot of output like:
So it seems like foxluv's suggestion for change where {$_.Enabled -eq"False"} isn't finding anything? Or is it normal for no output?
Get-User -RecipientTypeDetails UserMailbox -ResultSize Unlimited | where {$_.Enabled -eq"False"} | Disable-Mailbox -WhatIf
When we ran it before with where {$_.UseraccountControl -like "*accountdisabled*"} we got a lot of output like:
What if: Disabling mailbox "domain.com/OU-name/Disabl ed Users/Christopher Name" will remove the Exchange properties from the Active Directory user object and mark the mailbox in the database for removal. If the mailbox has an archive or remote archive, the archive will also be marked for removal. In the case of remote archives, this action is permanent. You can't reconnect this user to the remote archive again.
So it seems like foxluv's suggestion for change where {$_.Enabled -eq"False"} isn't finding anything? Or is it normal for no output?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
What version of Exchange are you using. Your syntax is correct if that is the Whatif results
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Foxluv,
returned:
Get-User -filter "Enabled -eq 'False'" |ft samaccountname,enabled,ema iladdress, givenname, surname
returned:
Invoke-Command : Cannot bind parameter 'Filter' to the target. Exception setting "Filter": ""Enabled" is not a recognized filterable property. For a complete list of filterable properties see the command help.
...
...
ASKER
Ok, great export, thank you Subsun. We have those saved now. So, it sounds like we are good to go with
Thank you all so much for your help.
Get-User -RecipientTypeDetails UserMailbox -ResultSize Unlimited | where {$_.UseraccountControl -like "*accountdisabled*"} | Disable-Mailbox -Confirm:$False
Thank you all so much for your help.
ASKER
One quick follow up. After running the above command, the mailboxes don't show up in Recipient Configuration\Disconnected Mailbox. We refreshed, and even restarted the Exchange Mgmt Console, but they're still not there. Where do we find them? There are a couple we actually need to reconnect.
Thanks,
Bob
Thanks,
Bob
You need to run clean-mailboxdatabase or wait for information store cache to clear..
ASKER
Thanks again for your help.
Open in new window
To disable mailbox for all users in a OUOpen in new window
If users have additional email addressed other than the standard email address policy then, export the of email addresses details before you delete, so in case, if you need to reconnect then then you can assign the email addresses from the backup.
Open in new window
Check if users have email forwarding enabled, if yes, you might need to confirm if it's still used.Open in new window
Mailbox data will be in disconnected state till the retention period, so incase you get a request, you should be able to reconnect.