How does Exchange handle disabled/expired Active Directory accounts?
Hello all, I am hoping someone can clarify this for me. If you disable or expire an account, does it take a while for those changes to take affect in regards to OWA? What I've noticed from my test network is: Exchange 2003: disabling or expiring an account will still allow mail to be sent to the mailbox, but trying to login via OWA is disabled as soon as the account is expired. Exchange 2010: disabling or expiring an account will still allow mail to be sent to the mailbox, but there is a short period of time where a user can still login to OWA even while the account is disabled or expired. Exchange 2007: I am not sure about this as I don't have this in my test lab. Am I correct in my observations? If so, why is there a window where a user can access OWA with a disabled account in Exchange 2010? Thanks!
July 11th, 2010 2:20pm

With your 2010 lab how long is that period and was the account disabled whilst someone was already logged on or did you disable the account and then try to log on? "in2jars" wrote in message news:c9c7dc0f-ec07-43aa-b6bc-e9cae27c4cf7... Hello all, I am hoping someone can clarify this for me. If you disable or expire an account, does it take a while for those changes to take affect in regards to OWA? What I've noticed from my test network is: Exchange 2003: disabling or expiring an account will still allow mail to be sent to the mailbox, but trying to login via OWA is disabled as soon as the account is expired. Exchange 2010: disabling or expiring an account will still allow mail to be sent to the mailbox, but there is a short period of time where a user can still login to OWA even while the account is disabled or expired. Exchange 2007: I am not sure about this as I don't have this in my test lab. Am I correct in my observations? If so, why is there a window where a user can access OWA with a disabled account in Exchange 2010? Thanks! Mark Arnold, Exchange MVP.
Free Windows Admin Tool Kit Click here and download it now
July 11th, 2010 3:40pm

I am not sure how long exactly. I think it was longer than 30 minutes. I was logged on under another user in Windows. I just tried logging in OWA as the account I had disabled. So, I disabled the account, then tried to login in with OWA and it let me. My test lab has a 2003 and 2010 server in it (I was testing out a transition from 2003 to 2010). I did not think this was the behavior with 2003, so just to test I created a test user and placed their mailbox on the 2003 server. When I disabled the account and then tried to log in via OWA (with the URL of the 2003 machine so their is no redirection or anything to worry about) it would not let me. So the disabling was immediate on 2003.
July 11th, 2010 3:55pm

Hi, After disabling the mailbox account, just run IISReset on command line on Exch 2010 CAS server, and then it won't let you login. Regards,Laeeq Qazi|Team Lead(Exchange + Sharepoint + BES + DynamicsCRM) www.HostingController.com
Free Windows Admin Tool Kit Click here and download it now
July 11th, 2010 6:13pm

Hi, After disabling the mailbox account, just run IISReset on command line on Exch 2010 CAS server, and then it won't let you login. Regards, Laeeq Qazi|Team Lead(Exchange + Sharepoint + BES + DynamicsCRM) www.HostingController.com OK, I am wondering if this is by design or not? If I disable an account is there really a period of time where someone could still log in with OWA?
July 11th, 2010 6:26pm

Hi, Yes, that's by design in Exchange 2007 and Exchange 2010. I can reproduce this issue. Thanks Allen
Free Windows Admin Tool Kit Click here and download it now
July 15th, 2010 8:08am

Hi, Sorry to re-awaken this one - but it is something I'm very interested in getting to the bottom of. I'm geting the same OWA issue in Exchange 2010 and was wondering if there was a way to prevent the behviour of users still being able to login to OWA, despite being locked or disabled. Is there a way to minimise this 'window of oppotunity'? Thanks, Chris
February 25th, 2011 6:52am

That's interesting to know. I would have expected that users in 2007/2010 would not be able to login as soon as Exchange gets notification of the change.
Free Windows Admin Tool Kit Click here and download it now
February 25th, 2011 7:00am

I think it's simply that notification interval that is the issue - it just seems (for me) too long.
February 25th, 2011 7:48am

By design, please refer to articles below. Changing the Default Interval for User Tokens in IIS http://support.microsoft.com/default.aspx?scid=kb;EN-US;152526 XWEB: Mailbox Access via OWA Depends on IIS Token Cache http://support.microsoft.com/kb/173658 James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
February 25th, 2011 8:15am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics