| Author | Messages | |
listmail
Posts:463
 | | 08/21/2005 9:06 AM |
| I think this is fine in a small environment or *maybe* in a
large environment if the chances of moving the mailbox are very very slim or the
chances of reconnection are very very slim.
As mentioned previously, the lack of the ability to move a
disconnected mailbox (say you have a server issue and are trying to get
mailboxes off of it quickly) and the crappy nasty horrible WMI reconnect
programmatic method make this a nightmare to deal with in a large org. If MS
published the details for doing a MAPI reconnect I would happily write a command
line tool to handle this so it could be done in a realistic way for an
enterprise. I have begged for the source to a couple of tools they have that do
things like this (such as MBCONNECT) but haven't thus far gotten it. I just
recently purchased the supposedly best MAPI book ever (Inside MAPI) that is not
available hard copy anymore but got on CD for like $60 so I can hopefully try to
work out how to do this.
I much prefer moving the object, disabling it, and properly
setting the MAS and ACL to self on the mailbox. This is what I push for in the
larger Exchange deployments (100k+) but would really recommend it for anyone if
they were looking to handle things the easiest
programmatically.
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Al
MulnickSent: Wednesday, August 17, 2005 7:06 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] exchange
weirdeness
FWIW, I've always been a fan
of disassociating the user account from the mailbox and then disabling the user
access by disabling the user object from login, moving it to a new OU, removing
the groups, marking the object with a time stamp for later use, and logging
every action taken to a text file for later review and auditing functions.
I can leave a user account
that I can associate and disassociate at will if I need access. It's not
pretty, but then again, there is no pretty way to make this work.
The scripts involved are pretty
straightforward; it's a matter of figuring out what the process should be.
My $0.04 anyway.
Al
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on
behalf of Tom KernSent: Wed 8/17/2005 5:22 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] exchange
weirdeness
thanks a lot!!On 8/17/05, Coleman, Hunter
wrote:> For folks who have already left, I'd go
with granting "Self" full> mailbox access. I haven't tested it, but if
the account has already been> disabled then I don't think that setting it
to expire on a date in the> past will restore the necessary mailbox
permissions for you to access> it.>> For future departures,
I think the ideal thing is to have some sort of> deprovisioning utility
that handles disabling the account, possibly> moving it to a different
OU, sets the Self mailbox access, and any other> rules that your business
processes dictate. You could have that as a> script or front-end it with
a web page.>> -----Original Message-----> From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Tom Kern> Sent: Wednesday, August 17, 2005 2:06 PM>
To: ActiveDir@xxxxxxxxxxxxxxxxxx> Subject: Re: [ActiveDir] exchange
weirdeness>> so, what is a good practice to deal with user's who
have left and their> mailboxes?>> Should you just expire
the account to a date in the past and then you> can access their
box?> or can you give "Self" full mailbox access to a disabled account
and> then access the box?>> which way works?> thanks
alot>> On 8/17/05, Coleman, Hunter
wrote:> > No. You're running into the msExchMasterAccountSID
problem.> > http://support.microsoft.com/default.aspx?scid=kb;en-us;555410
has> > information, and points to the NoMAS tool. You can also handle
this by>> > setting the attributes manually or via
script.> >> > -----Original Message-----> > From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx> > [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Tom Kern> > Sent: Wednesday, August 17, 2005 12:48
PM> > To: activedirectory> > Subject: Re: [ActiveDir]
exchange weirdeness> >> > update- i enabled the user account
about 30mins ago and updated the> RUS.> > stilll i get
denied trying to log on via outlook and an event id> > 9548 gets
logged on the exchange server everytime i try logging on,> > stating
that the account is still disabled...> >> > replication
issue?> >> > dns is up and running. the only known issue is
no connectivity to the> > root. but the root has no users or
mailservers.> >> > strange> >> > On
8/17/05, Tom Kern wrote:> > > I have
mailbox enabled users in AD that have been disabled. However> > >
in> >> > > ESM, they are not marked as such. When i run
the cleanup agent, they>> > > are still not marked as
disabled.> > >> > > When i try to Exmerge the box, I
get an access denied error(i have> > > full exchange admin rights
inherited from the org and full mailbox> > > right on the
user).> > > Also, i can't open their box via outlook as
well.> > >> > > My situation at this firm is as such-
we have no network> > > connectivity to the root(for about 2 wks.
don't ask, long story..).> > > The users are all in my child domain
as are their mailboxes. the> > > root> > is
empty.> > >> > > We are also running with netbios/tcp
disabled forest wide.> > >> > > i know there are some
issues with netbios being disabled and exmerge>> > > and ESM
and outlook. Could this be a cause? I don't know the exact> > >
error you would get.> > >> > > I don't think having no
connectivity to the root should be an issue.> > > We have 4 dc's, 3
of which are gc's in the child domain.> > >> > > any
advice would be great.> > > thanks> > >> >
List info : http://www.activedir.org/Listaspx>
> List FAQ : http://www.activedir.org/ListFAQ.aspx>
> List archive:> > http://www.mail-archive.com/activedir%40mail.activedir.org/>
> List info : http://www.activedir.org/Listaspx>
> List FAQ : http://www.activedir.org/ListFAQ.aspx>
> List archive:> > http://www.mail-archive.com/activedir%40mail.activedir.org/>
>> List info : http://www.activedir.org/Listaspx>
List FAQ : http://www.activedir.org/ListFAQ.aspx>
List archive:> http://www.mail-archive.com/activedir%40mail.activedir.org/>
List info : http://www.activedir.org/Listaspx>
List FAQ : http://www.activedir.org/ListFAQ.aspx>
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/>List
info : http://www.activedir.org/ListaspxList
FAQ : http://www.activedir.org/ListFAQ.aspxList
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
|
|