FWIW, I've always been a fan of disassociating the user account from the mailbox and then disabling the user access by disabling the user object from login, moving it to a new OU, removing the groups, marking the object with a time stamp for later use, and logging every action taken to a text file for later review and auditing functions. I can leave a user account that I can associate and disassociate at will if I need access. It's not pretty, but then again, there is no pretty way to make this work. The scripts involved are pretty straightforward; it's a matter of figuring out what the process should be. My $0.04 anyway. Al
________________________________ From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Wed 8/17/2005 5:22 PM To: [email protected] Subject: Re: [ActiveDir] exchange weirdeness thanks a lot!! On 8/17/05, Coleman, Hunter <[EMAIL PROTECTED]> wrote: > For folks who have already left, I'd go with granting "Self" full > mailbox access. I haven't tested it, but if the account has already been > disabled then I don't think that setting it to expire on a date in the > past will restore the necessary mailbox permissions for you to access > it. > > For future departures, I think the ideal thing is to have some sort of > deprovisioning utility that handles disabling the account, possibly > moving it to a different OU, sets the Self mailbox access, and any other > rules that your business processes dictate. You could have that as a > script or front-end it with a web page. > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern > Sent: Wednesday, August 17, 2005 2:06 PM > To: [email protected] > Subject: Re: [ActiveDir] exchange weirdeness > > so, what is a good practice to deal with user's who have left and their > mailboxes? > > Should you just expire the account to a date in the past and then you > can access their box? > or can you give "Self" full mailbox access to a disabled account and > then access the box? > > which way works? > thanks alot > > On 8/17/05, Coleman, Hunter <[EMAIL PROTECTED]> wrote: > > No. You're running into the msExchMasterAccountSID problem. > > http://support.microsoft.com/default.aspx?scid=kb;en-us;555410 has > > information, and points to the NoMAS tool. You can also handle this by > > > setting the attributes manually or via script. > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern > > Sent: Wednesday, August 17, 2005 12:48 PM > > To: activedirectory > > Subject: Re: [ActiveDir] exchange weirdeness > > > > update- i enabled the user account about 30mins ago and updated the > RUS. > > stilll i get denied trying to log on via outlook and an event id > > 9548 gets logged on the exchange server everytime i try logging on, > > stating that the account is still disabled... > > > > replication issue? > > > > dns is up and running. the only known issue is no connectivity to the > > root. but the root has no users or mailservers. > > > > strange > > > > On 8/17/05, Tom Kern <[EMAIL PROTECTED]> wrote: > > > I have mailbox enabled users in AD that have been disabled. However > > > in > > > > > ESM, they are not marked as such. When i run the cleanup agent, they > > > > are still not marked as disabled. > > > > > > When i try to Exmerge the box, I get an access denied error(i have > > > full exchange admin rights inherited from the org and full mailbox > > > right on the user). > > > Also, i can't open their box via outlook as well. > > > > > > My situation at this firm is as such- we have no network > > > connectivity to the root(for about 2 wks. don't ask, long story..). > > > The users are all in my child domain as are their mailboxes. the > > > root > > is empty. > > > > > > We are also running with netbios/tcp disabled forest wide. > > > > > > i know there are some issues with netbios being disabled and exmerge > > > > and ESM and outlook. Could this be a cause? I don't know the exact > > > error you would get. > > > > > > I don't think having no connectivity to the root should be an issue. > > > We have 4 dc's, 3 of which are gc's in the child domain. > > > > > > any advice would be great. > > > thanks > > > > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
<<winmail.dat>>
