The problem with using NoMAS is that you are always chasing your tails. You have to remember to run it often, and in the meantime, your exchange server is being crippled by eventid 9548 . The "fix" for this "issue" is more process than technical. You need to work out a termination process with your management and HR. You need to establish how long you need to retain an ex-employee's account and "stuffs" for before you whack them. Because I can not usually whack them right away, this is what I usually do: Move the account to a special "terminated" OU. Remove the account from ALL groups, add it to a special "terminated" group, make "terminated" group the primary group of the account. Set a stupidly long, non-intelligent, auto-generated password on the account. Xmerge the mailbox contents and hide the mailbox. Put in a comment on the account specifying the date all this was done. The "special" OU and Group have "special" policies - for example, no dial-in, no console login, no over-the-network access to resources, etc - applied to them. Then I have a "cleanup" script that goes in weekly and deprovision any terminated account that has been terminated longer than x number of days/weeks/months. The above may not be an efficient process. But it is a process. You need to work out one that works for your environment. Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Ion Gott Sent: Fri 3/3/2006 3:17 PM To: [email protected]; [email protected] Subject: RE: [ActiveDir] Disabled Accounts/Mail accepted I believe this issue really depended on the permissions on the mailbox and the synchronization of the security attributes. I can't recall but I believe it did behave a bit different in Exchange 2000. I use NOMAS.exe to fix and sync the permissions when I enable/disable accounts. All my resource mailboxes are disabled and have self set as associated external account and have an msexchangMasterAccountSID set. Ion <http://www.dyntek.com> ________________________________ From: [EMAIL PROTECTED] on behalf of Cariglia, Daniel Sent: Fri 3/3/2006 1:58 PM To: [email protected] Subject: [ActiveDir] Disabled Accounts/Mail accepted Hello, A few years back we had changed the way we disabled AD user accounts from disabling the account to restricting logon hours (restricted 24x7) and hiding from GAL. We did this because mail sent to disabled accounts was getting rejected and the sender was getting a NDR. Also, management would come back to us a week later and want the ex-employees email correspondence after they left the company. At that time we were a 2000 SP2 domain with exchange 2000, currently we are a 2003 SP1 domain with exchange 2003. Presently, we have become aware that mail sent to accounts with the disabled box checked arrives in the mailbox. My question is...did this behavior change when you upgrade to a 2003 AD/exchange 2003 or at some service pack level? Were we wrong in our original assumption that email would not flow to disabled accounts a few years back? The following MSFT article seems to support my assumption that disabled accounts will generate a NDR unless modified. http://support.microsoft.com/default.aspx?scid=kb;EN-US;319047 Any thoughts on this, thank you in advance. Dan List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
