Solved

How to delete Exchange mailboxes associated with disabled AD accounts

Posted on 2016-09-14
23
54 Views
Last Modified: 2016-09-21
Hi, we are needing a script to delete the mailbox associated with disabled AD accounts.  We need to keep the disabled AD accounts.  Is there anything else we should consider in this?  Any gotchas?

Thanks,
Bob
0
Comment
Question by:breichard
  • 8
  • 7
  • 6
  • +1
23 Comments
 
LVL 40

Expert Comment

by:Subsun
ID: 41798040
Use Disable-Mailbox to disconnect mailbox from AD account. Once command is complete, the mailboxes will be in disconnected stat and then will be purged by exchange based on the retention policy.
Disable-Mailbox UserA

Open in new window

To disable mailbox for all users in a OU
Get-Mailbox -OrganizationalUnit "corp.lab.com/Test/Users/AZ" | Disable-Mailbox 

Open in new window


Any gotchas?
If users have additional email addressed other than the standard email address policy then, export the of email addresses details before you delete, so in case, if you need to reconnect then then you can assign the email addresses from the backup.
Get-Mailbox -OrganizationalUnit "corp.lab.com/Test/Users/AZ" | Select-Object DisplayName,Database,PrimarySmtpAddress, @{N="EmailAddresses";E={$_.EmailAddresses |? {$_.PrefixString -ceq "smtp"}}} | Export-csv C:\report.csv -nti

Open in new window

Check if users have email forwarding enabled, if yes, you might need to confirm if it's still used.
Get-Mailbox -OrganizationalUnit "corp.lab.com/Test/Users/AZ" | Select DisplayName,ForwardingAddress | where {$_.ForwardingAddress -ne $Null}

Open in new window

Mailbox data will be in disconnected state till the retention period, so incase you get a request, you should be able to reconnect.
0
 
LVL 16

Expert Comment

by:FOX
ID: 41798086
Subsun,
They want to disable the mailboxes on all disabled AD accounts, therefore

Get-Aduser -filter "Enabled -eq 'False'" | Disable-Mailbox
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41798125
I don't recommend to delete mailboxes for all disabled accounts, this may cause unexpected issues. For example Shared Mailboxes are connected to disabled accounts. Ideally in every environment, the disabled user accounts will be moved to a specific OU and keep it for certain time period before deletion. So better to limit the search to such disabled user OU while disabling the mailboxes.
0
 

Author Comment

by:breichard
ID: 41798140
Subsun, Foxluv,
Thanks for your replies.  Foxluv is correct, we are trying to disable mailboxes of disabled AD accounts only.

Foxluv, When we try yours above (without the pipe to Disable-Mailbox, just to see what it gave us), we get a message saying that Get-Aduser is not a valid cmdlet.  We are doing this in the Exchange Powershell.

Subsun, we do not follow completely.  If you move a disabled AD account to a specific OU for a period of time, then disable the mailbox later, it will still be part of any shared mailbox, so how is it any different?

Here is what we have come up with so far on our own:

Get-User -RecipientTypeDetails UserMailbox -ResultSize Unlimited | where {$_.UseraccountControl -like "*accountdisabled*"} | Disable-Mailbox -Confirm:$False

Open in new window


Comments?

Thank you!
0
 
LVL 16

Expert Comment

by:FOX
ID: 41798153
Are you running the shell (as administrator)?  Secondly in Exchange managment shell run the command
Import-Module ActiveDirectory
and try the command again
0
 
LVL 41

Expert Comment

by:Amit
ID: 41798159
Better to use input txt file with usernames you want to disable in your script. This way you will not cause issues for Shared mailbox as pointed by @Subsun.
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41798164
Subsun, we do not follow completely.  If you move a disabled AD account to a specific OU for a period of time, then disable the mailbox later, it will still be part of any shared mailbox, so how is it any different?
If you don't have any such termination policy for user accounts, moving all disabled accounts to a single OU is not a good idea..

Your command should work. but I would suggest you to export details of all disabled users and mailboxes before you proceed with the disable mailbox.
0
 
LVL 16

Expert Comment

by:FOX
ID: 41798168
Don't confuse Enabled accounts with UserAccountControl(security)- your syntax will be the below

Get-User -RecipientTypeDetails UserMailbox -ResultSize Unlimited | where {$_.Enabled -eq"False"} | Disable-Mailbox -Confirm:$False
0
 

Author Comment

by:breichard
ID: 41798169
Amit, thanks for chiming in. Would you be able to give us an example of what that process would look like at the command line?
0
 
LVL 16

Assisted Solution

by:FOX
FOX earned 150 total points
ID: 41798184
If you want to get all your disabled users
Get-User -filter "Enabled -eq 'False'" | ft samaccountname | out-file c:\temp\disabledusers.csv

then at the top of the userlist create a heading disabledusers

New script to disable your mailboxes
Import-Csv c:\temp\disabledusers.csv | Foreach{Disable-Mailbox -Identity $_.DisabledUsers}
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41798187
@breichard, Your command should work and wont affect the shared mailboxes as you are filtering usermailbox. But as a safe measure, as I mentioned earlier. Export the details and validate it before you proceed with delete/diable.

After disabling mailbox, you wont be able to find the users email addresses if you don't have a backup. but if you are not bothered about reconnecting them then you can go ahead..
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:breichard
ID: 41798194
Subsun, how would you recommend we do the export of the details?

Thanks,
Bob
0
 
LVL 16

Expert Comment

by:FOX
ID: 41798206
details
Get-User -filter "Enabled -eq 'False'" |ft samaccountname,enabled,emailaddress,givenname,surname
0
 
LVL 41

Expert Comment

by:Amit
ID: 41798207
If you know the OU where you have disabled account. Create an query in AD and then export the result. You need alias name in your input file.  Check below articles.

http://www.ntweekly.com/?p=2509

https://deangrant.wordpress.com/2013/10/08/bulk-disable-mailboxes-in-exchange-2010/

If count of user is not high, type it manually in the input file, only alias name.
0
 

Author Comment

by:breichard
ID: 41798213
We ran the following as a test, and got no output:

Get-User -RecipientTypeDetails UserMailbox -ResultSize Unlimited | where {$_.Enabled -eq"False"} | Disable-Mailbox -WhatIf

When we ran it before with where {$_.UseraccountControl -like "*accountdisabled*"}  we got a lot of output like:

What if: Disabling mailbox "domain.com/OU-name/Disabled Users/Christopher Name" will remove the Exchange properties from the Active Directory user object and mark the mailbox in the database for removal. If the mailbox has an archive or remote archive, the archive will also be marked for removal. In the case of remote archives, this action is permanent. You can't reconnect this user to the remote archive again.

So it seems like foxluv's suggestion for change where {$_.Enabled -eq"False"} isn't finding anything?  Or is it normal for no output?
0
 
LVL 40

Assisted Solution

by:Subsun
Subsun earned 350 total points
ID: 41798218
You can use the same command which I mentioned in my first comment.. Example..
$users = Get-User -RecipientTypeDetails UserMailbox -ResultSize Unlimited | where {$_.UseraccountControl -like "*accountdisabled*"}
$users | Get-Mailbox | Select-Object DisplayName,Database,PrimarySmtpAddress, @{N="EmailAddresses";E={$_.EmailAddresses |? {$_.PrefixString -ceq "smtp"}}} | Export-csv C:\report.csv -nti

$users | Get-Mailbox | Select DisplayName,ForwardingAddress | where {$_.ForwardingAddress -ne $Null} | Export-csv C:\FWreport.csv -nti

Open in new window

0
 
LVL 16

Expert Comment

by:FOX
ID: 41798220
What version of Exchange are you using.  Your syntax is correct if that is the Whatif results
0
 
LVL 40

Accepted Solution

by:
Subsun earned 350 total points
ID: 41798238
FYI, You need to filter using UseraccountControl , if you are using Get-User command.
0
 

Author Comment

by:breichard
ID: 41798240
Foxluv,

Get-User -filter "Enabled -eq 'False'" |ft samaccountname,enabled,emailaddress,givenname,surname

returned:

Invoke-Command : Cannot bind parameter 'Filter' to the target. Exception setting "Filter": ""Enabled" is not a recognized filterable property. For a complete list of filterable properties see the command help.
...
0
 

Author Comment

by:breichard
ID: 41798264
Ok, great export, thank you Subsun.  We have those saved now.  So, it sounds like we are good to go with

Get-User -RecipientTypeDetails UserMailbox -ResultSize Unlimited | where {$_.UseraccountControl -like "*accountdisabled*"} | Disable-Mailbox -Confirm:$False

Thank you all so much for your help.
0
 

Author Comment

by:breichard
ID: 41798298
One quick follow up.  After running the above command, the mailboxes don't show up in Recipient Configuration\Disconnected Mailbox.  We refreshed, and even restarted the Exchange Mgmt Console, but they're still not there.  Where do we find them?  There are a couple we actually need to reconnect.

Thanks,
Bob
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41798306
You need to run clean-mailboxdatabase  or wait for information store cache to clear..
0
 

Author Closing Comment

by:breichard
ID: 41808611
Thanks again for your help.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Utilizing an array to gracefully append to a list of EmailAddresses
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now