Location: List Archives

List Archives

This forum is an archive of all posts to our mailing list over the past few years.  The forum is set read only therefore to contribute you will need to join our list community.  See more info about this here.

List Archives

Forums >ActiveDir Mail List Archive >List Archives
Subject: [ActiveDir] Disabled User Accounts Accessing Resources
Prev Next
You are not authorized to post a reply.

AuthorMessages
rmscheckUser is Offline

Posts:66

07/22/2008 8:48 AM  
Hey guys,

Is this the intended?  I have disabled AD users, but they can still access OWA.  I am unsure why or how to fix this.  Is it even broke?

On another note, will multiple attempts with a bad password on OWA lock an AD account, provided we have the policy set?

Thanks,
Rand


bhopkinsUser is Offline

Posts:7

07/22/2008 9:43 AM  
If you have Exchange 2007, then a disabled user that has a mail account can still access mail resources through OWA or Mapi if you have them enabled. You have to disable their mail access in the Exchange 2007 manager. It did not work this way in 2003, but does in 2007. I'm not sure why Microsoft did this as I thought 2007 was supposed to be tighter integrated with AD and not the other way around.



Thanks
Bruce Hopkins
770-528-4574
Director Information Systems
Chattahoochee Technical College
http://www.chattcollege.com



(\__/)
(='.'=) This is Bunny. Copy and paste bunny into your
(")_(") signature to help him gain world domination.

From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Rand Salazar
Sent: Tuesday, July 22, 2008 8:46 AM
To: Active Dir
Subject: [ActiveDir] Disabled User Accounts Accessing Resources

Hey guys,

Is this the intended? I have disabled AD users, but they can still access OWA. I am unsure why or how to fix this. Is it even broke?

On another note, will multiple attempts with a bad password on OWA lock an AD account, provided we have the policy set?

Thanks,
Rand



kennedyjimUser is Offline

Posts:35

07/22/2008 10:03 AM  
Wow, I didn't know this. This is insane, a disabled account that still has access to domain resources?!? That goes against every common sense description of how an account works that I can think of. I am not normally an MS basher but they sure have screwed the pooch on Exchange management with this version. Most disgusting.

Looks like hiding them from the address book will also keep them out of owa. Glad this came up, we are in the process of closing two buildings and there are many accounts to deal with. We usually disable and wait a few weeks to see if anyone calls in case we got the wrong info from HR.




From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Bruce Hopkins
Sent: Tuesday, July 22, 2008 9:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Disabled User Accounts Accessing Resources

If you have Exchange 2007, then a disabled user that has a mail account can still access mail resources through OWA or Mapi if you have them enabled. You have to disable their mail access in the Exchange 2007 manager. It did not work this way in 2003, but does in 2007. I'm not sure why Microsoft did this as I thought 2007 was supposed to be tighter integrated with AD and not the other way around.



Thanks
Bruce Hopkins
770-528-4574
Director Information Systems
Chattahoochee Technical College
http://www.chattcollege.com



(\__/)
(='.'=) This is Bunny. Copy and paste bunny into your
(")_(") signature to help him gain world domination.

From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Rand Salazar
Sent: Tuesday, July 22, 2008 8:46 AM
To: Active Dir
Subject: [ActiveDir] Disabled User Accounts Accessing Resources

Hey guys,

Is this the intended? I have disabled AD users, but they can still access OWA. I am unsure why or how to fix this. Is it even broke?

On another note, will multiple attempts with a bad password on OWA lock an AD account, provided we have the policy set?

Thanks,
Rand



hcolemanUser is Offline

Posts:29

07/22/2008 11:18 AM  
Odd. Going to the "new" url (https://server/owa) will not let the disabled user account to access mail. However, going to the legacy url (https://server/exchange), which then redirects to the new URL if the user's mailbox is on Exch 2007, will let the user successfully access mail. If you don't have any mailboxes on Exch 2000/2003, then you should be able to get rid of the legacy virtual directory to close this. Still, it does seem like a rather large hole.

From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Bruce Hopkins
Sent: Tuesday, July 22, 2008 7:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Disabled User Accounts Accessing Resources

If you have Exchange 2007, then a disabled user that has a mail account can still access mail resources through OWA or Mapi if you have them enabled. You have to disable their mail access in the Exchange 2007 manager. It did not work this way in 2003, but does in 2007. I'm not sure why Microsoft did this as I thought 2007 was supposed to be tighter integrated with AD and not the other way around.



Thanks
Bruce Hopkins
770-528-4574
Director Information Systems
Chattahoochee Technical College
http://www.chattcollege.com



(\__/)
(='.'=) This is Bunny. Copy and paste bunny into your
(")_(") signature to help him gain world domination.

From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Rand Salazar
Sent: Tuesday, July 22, 2008 8:46 AM
To: Active Dir
Subject: [ActiveDir] Disabled User Accounts Accessing Resources

Hey guys,

Is this the intended? I have disabled AD users, but they can still access OWA. I am unsure why or how to fix this. Is it even broke?

On another note, will multiple attempts with a bad password on OWA lock an AD account, provided we have the policy set?

Thanks,
Rand



hcolemanUser is Offline

Posts:29

07/22/2008 11:28 AM  
It does eventually prevent the disabled user from getting to mail via the legacy URL. Looks like it's around 30 minutes after the account gets disabled.

From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Coleman, Hunter
Sent: Tuesday, July 22, 2008 9:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Disabled User Accounts Accessing Resources

Odd. Going to the "new" url (https://server/owa) will not let the disabled user account to access mail. However, going to the legacy url (https://server/exchange), which then redirects to the new URL if the user's mailbox is on Exch 2007, will let the user successfully access mail. If you don't have any mailboxes on Exch 2000/2003, then you should be able to get rid of the legacy virtual directory to close this. Still, it does seem like a rather large hole.

From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Bruce Hopkins
Sent: Tuesday, July 22, 2008 7:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Disabled User Accounts Accessing Resources

If you have Exchange 2007, then a disabled user that has a mail account can still access mail resources through OWA or Mapi if you have them enabled. You have to disable their mail access in the Exchange 2007 manager. It did not work this way in 2003, but does in 2007. I'm not sure why Microsoft did this as I thought 2007 was supposed to be tighter integrated with AD and not the other way around.



Thanks
Bruce Hopkins
770-528-4574
Director Information Systems
Chattahoochee Technical College
http://www.chattcollege.com



(\__/)
(='.'=) This is Bunny. Copy and paste bunny into your
(")_(") signature to help him gain world domination.

From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Rand Salazar
Sent: Tuesday, July 22, 2008 8:46 AM
To: Active Dir
Subject: [ActiveDir] Disabled User Accounts Accessing Resources

Hey guys,

Is this the intended? I have disabled AD users, but they can still access OWA. I am unsure why or how to fix this. Is it even broke?

On another note, will multiple attempts with a bad password on OWA lock an AD account, provided we have the policy set?

Thanks,
Rand



kennedyjimUser is Offline

Posts:35

07/22/2008 11:30 AM  
I concur, I see that now after some further testing. I feel better now :)



From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Coleman, Hunter
Sent: Tuesday, July 22, 2008 11:26 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Disabled User Accounts Accessing Resources

It does eventually prevent the disabled user from getting to mail via the legacy URL. Looks like it's around 30 minutes after the account gets disabled.

From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Coleman, Hunter
Sent: Tuesday, July 22, 2008 9:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Disabled User Accounts Accessing Resources

Odd. Going to the "new" url (https://server/owa) will not let the disabled user account to access mail. However, going to the legacy url (https://server/exchange), which then redirects to the new URL if the user's mailbox is on Exch 2007, will let the user successfully access mail. If you don't have any mailboxes on Exch 2000/2003, then you should be able to get rid of the legacy virtual directory to close this. Still, it does seem like a rather large hole.

From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Bruce Hopkins
Sent: Tuesday, July 22, 2008 7:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Disabled User Accounts Accessing Resources

If you have Exchange 2007, then a disabled user that has a mail account can still access mail resources through OWA or Mapi if you have them enabled. You have to disable their mail access in the Exchange 2007 manager. It did not work this way in 2003, but does in 2007. I'm not sure why Microsoft did this as I thought 2007 was supposed to be tighter integrated with AD and not the other way around.



Thanks
Bruce Hopkins
770-528-4574
Director Information Systems
Chattahoochee Technical College
http://www.chattcollege.com



(\__/)
(='.'=) This is Bunny. Copy and paste bunny into your
(")_(") signature to help him gain world domination.

From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Rand Salazar
Sent: Tuesday, July 22, 2008 8:46 AM
To: Active Dir
Subject: [ActiveDir] Disabled User Accounts Accessing Resources

Hey guys,

Is this the intended? I have disabled AD users, but they can still access OWA. I am unsure why or how to fix this. Is it even broke?

On another note, will multiple attempts with a bad password on OWA lock an AD account, provided we have the policy set?

Thanks,
Rand



You are not authorized to post a reply.
Forums >ActiveDir Mail List Archive >List Archives > [ActiveDir] Disabled User Accounts Accessing Resources



ActiveForums 3.7
AdventNet Banner
Friends

Friends

Namescape
Members

Members

MembershipMembership:
Latest New UserLatest:cthart
New TodayNew Today:1
New YesterdayNew Yesterday:4
User CountOverall:4285
People OnlinePeople Online:
VisitorsVisitors:88
MembersMembers:0
TotalTotal:88
Online NowOnline Now:

Ads

Copyright 2008 ActiveDir.org
Terms Of Use