Remote Support Software

Provide instant remote support to customers and employees:

Click here for a free trial

How does Exchange handle disabled/expired Active Directory accounts?

Hello all,
I am hoping someone can clarify this for me. If you disable or expire an account, does it take a while for those changes to take affect in regards to OWA?
What I've noticed from my test network is:
Exchange 2003: disabling or expiring an account will still allow mail to be sent to the mailbox, but trying to login via OWA is disabled as soon as the account is expired.
Exchange 2010: disabling or expiring an account will still allow mail to be sent to the mailbox, but there is a short period of time where a user can still login to OWA even while the account is disabled or expired.
Exchange 2007: I am not sure about this as I don't have this in my test lab.
Am I correct in my observations? If so, why is there a window where a user can access OWA with a disabled account in Exchange 2010?
Thanks!

Need to support users over the internet? click here try our remote control online beta






July 11th, 2010 2:20pm
With your 2010 lab how long is that period and was the account disabled whilst someone was already logged on or did you disable the account and then try to log on?

"in2jars" wrote in message
news:c9c7dc0f-ec07-43aa-b6bc-e9cae27c4cf7...
Hello all,
I am hoping someone can clarify this for me. If you disable or expire an account, does it take a while for those changes to take affect in regards to OWA?
What I've noticed from my test network is:
Exchange 2003: disabling or expiring an account will still allow mail to be sent to the mailbox, but trying to login via OWA is disabled as soon as the account is expired.
Exchange 2010: disabling or expiring an account will still allow mail to be sent to the mailbox, but there is a short period of time where a user can still login to OWA even while the account is disabled or expired.
Exchange 2007: I am not sure about this as I don't have this in my test lab.
Am I correct in my observations? If so, why is there a window where a user can access OWA with a disabled account in Exchange 2010?
Thanks!
Mark Arnold, Exchange MVP.

There is an amazing pack of free network admin tools. click here to download it






July 11th, 2010 3:40pm
I am not sure how long exactly. I think it was longer than 30 minutes. I was logged on under another user in Windows. I just tried logging in OWA as the account I had disabled.
So, I disabled the account, then tried to login in with OWA and it let me.
My test lab has a 2003 and 2010 server in it (I was testing out a transition from 2003 to 2010). I did not think this was the behavior with 2003, so just to test I created a test user and placed their mailbox on the 2003 server. When I disabled the account
and then tried to log in via OWA (with the URL of the 2003 machine so their is no redirection or anything to worry about) it would not let me. So the disabling was immediate on 2003.

Need to support users over the internet? click here try our remote control online beta






July 11th, 2010 3:55pm
Hi,
After disabling the mailbox account, just run IISReset on command line on Exch 2010 CAS server, and then it won't let you login.
Regards,Laeeq Qazi|Team Lead(Exchange + Sharepoint + BES + DynamicsCRM)

www.HostingController.com


Need to support users over the internet? click here try our remote control online beta






July 11th, 2010 6:13pm
Hi,
After disabling the mailbox account, just run IISReset on command line on Exch 2010 CAS server, and then it won't let you login.
Regards,

Laeeq Qazi|Team Lead(Exchange + Sharepoint + BES + DynamicsCRM)

www.HostingController.com


OK, I am wondering if this is by design or not? If I disable an account is there really a period of time where someone could still log in with OWA?

Need to support users over the internet? click here try our remote control online beta






July 11th, 2010 6:26pm
Hi,
Yes, that's by design in Exchange 2007 and Exchange 2010. I can reproduce this issue.
Thanks
Allen

Need to support users over the internet? click here try our remote control online beta






July 15th, 2010 8:08am
Hi,

Sorry to re-awaken this one - but it is something I'm very interested in getting to the bottom of. I'm geting the same OWA issue in Exchange 2010 and was wondering if there was a way to prevent the behviour of users still being able to login to OWA, despite
being locked or disabled.

Is there a way to minimise this 'window of oppotunity'?
Thanks,
Chris

There is an amazing pack of free network admin tools. click here to download it






February 25th, 2011 6:52am
That's interesting to know. I would have expected that users in 2007/2010 would not be able to login as soon as Exchange gets notification of the change.

There is an amazing pack of free network admin tools. click here to download it






February 25th, 2011 7:00am
I think it's simply that notification interval that is the issue - it just seems (for me) too long.

There is an amazing pack of free network admin tools. click here to download it






February 25th, 2011 7:48am
By design, please refer to articles below.
Changing the Default Interval for User Tokens in IIS

http://support.microsoft.com/default.aspx?scid=kb;EN-US;152526

XWEB: Mailbox Access via OWA Depends on IIS Token Cache

http://support.microsoft.com/kb/173658

James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

Need to support users over the internet? click here try our remote control online beta






February 25th, 2011 8:15am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics