Hi, In ESM you will only see connected or disconnected mailboxes.
To exmerge a mailbox you need at least the following permissions: * 'Exchange View Only Administrator' permissions * 'Receive As' and 'Send As' permissions See MS-KBQ292509 & MS-KBQ262054 & MS-KBQ821897 for more info. Don't use the default admin groups as these are explicitely denied the permissions mentioned. Use a separate group and don't use a user account that is a member of the default admin groups!!! Just for additional info for those who are interested in it.... (a time ago I also posted something similar) What to do with user accounts that are or not mailbox enabled when the corresponding user(s) leave(s) the company. For that and without buying a full blown solution you can create tooling in a simple way if the following process is sufficient for you. IT IS A 5 STEP PROCESS: (1) Be sure to receive some notification a user has left the company (2) Move its user account to a special de-provisioning OU (manually) (3) Schedule a script to run regularly (dayly or weekly or whatever is good for you) to disable AD enabled user accounts in the de-provisioning OU and if the account is mailbox enabled to add the "Associated External Account" permission to SELF. Also generate and set a difficult password (be carefull with certificates if you use them for encryption!) (4) Schedule a script to run regularly (dayly or weekly or whatever is good for you) to check the de-provisioning OU for disabled user accounts that have been unused for a certain (inactive) period (e.g. 90 days). In a W2K3 domain with Domain Functional Level 'Windows Server 2003' you can use the 'lastLogonTimestamp' attribute that determines the last time a user logged on. In a W2K domain or W2K3 domain with Domain Functional Level 'Windows Server 2000 native' or lower you can use the 'lastLogon' attribute which is less accurate, but that will do. If user accounts are found that meet the prerequisites (disabled and exceed a certain inactive period): * Create a directory for the user in some "Archive Location" (the archive location is a location where the user's stuff will be copied to, backup for a certain time and after some other period the user's stuff is removed) * Extract all populated attibutes of the user account to the user's archive location (using LDIFDE) * Check if a home directory exists (read attribute and check location) and MOVE it to the user's archive location * Check if a profile directory exists (read attribute and check location) and MOVE it to the user's archive location * Check if a TS home directory exists (read attribute and check location) and MOVE it to the user's archive location * Check if a TS profile directory exists (read attribute and check location) and MOVE it to the user's archive location * Exmerge the mailbox into a PST in the user's archive location (5) Schedule a script to run regularly (dayly or weekly or whatever is good for you) to check the all user's archive locations to see which exceed the archiving period for backup (e.g. 60 days). For this compare the folder creation date with the current date. If a user archive location is found and it is older than the current date minus the minimum required archiving period for backup, delete the folder TOOLS USED: * ADModcmd.exe and others from (ADModify.NET) (http://www.gotdotnet.com/workspaces/workspace.aspx?id=f5cbbfa9-e46b-4a7 a-8ed8-3e44523f32e2) * Robocopy.exe (tested with: v5.1.1.1010) (W2K3 Resource Kit) (http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff- 4ae7-96ee-b18c4790cffd&displaylang=en) * ExMerge.exe (tested with: v6.5.7529.0) (http://www.microsoft.com/downloads/details.aspx?FamilyID=429163EC-DCDF- 47DC-96DA-1C12D67327D5&displaylang=en) Cheers, Jorge -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Wednesday, August 17, 2005 20:12 To: activedirectory Subject: [ActiveDir] exchange weirdeness I have mailbox enabled users in AD that have been disabled. However in ESM, they are not marked as such. When i run the cleanup agent, they are still not marked as disabled. When i try to Exmerge the box, I get an access denied error(i have full exchange admin rights inherited from the org and full mailbox right on the user). Also, i can't open their box via outlook as well. My situation at this firm is as such- we have no network connectivity to the root(for about 2 wks. don't ask, long story..). The users are all in my child domain as are their mailboxes. the root is empty. We are also running with netbios/tcp disabled forest wide. i know there are some issues with netbios being disabled and exmerge and ESM and outlook. Could this be a cause? I don't know the exact error you would get. I don't think having no connectivity to the root should be an issue. We have 4 dc's, 3 of which are gc's in the child domain. any advice would be great. thanks List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
