RE: [ActiveDir] exchange weirdeness

[joe]

Title: Re: [ActiveDir] exchange weirdeness

I think this is fine in a small environment or *maybe* in a large environment if the chances of moving the mailbox are very very slim or the chances of reconnection are very very slim.

 

As mentioned previously, the lack of the ability to move a disconnected mailbox (say you have a server issue and are trying to get mailboxes off of it quickly) and the crappy nasty horrible WMI reconnect programmatic method make this a nightmare to deal with in a large org. If MS published the details for doing a MAPI reconnect I would happily write a command line tool to handle this so it could be done in a realistic way for an enterprise. I have begged for the source to a couple of tools they have that do things like this (such as MBCONNECT) but haven't thus far gotten it. I just recently purchased the supposedly best MAPI book ever (Inside MAPI) that is not available hard copy anymore but got on CD for like $60 so I can hopefully try to work out how to do this.

 

I much prefer moving the object, disabling it, and properly setting the MAS and ACL to self on the mailbox. This is what I push for in the larger Exchange deployments (100k+) but would really recommend it for anyone if they were looking to handle things the easiest programmatically.

 

 

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Wednesday, August 17, 2005 7:06 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] exchange weirdeness

FWIW, I've always been a fan of disassociating the user account from the mailbox and then disabling the user access by disabling the user object from login, moving it to a new OU, removing the groups, marking the object with a time stamp for later use, and logging every action taken to a text file for later review and auditing functions. 

 

I can leave a user account that I can associate and disassociate at will if I need access.  It's not pretty, but then again, there is no pretty way to make this work.

 

The scripts involved are pretty straightforward; it's a matter of figuring out what the process should be.

 

My $0.04 anyway.

 

Al

---

From: [EMAIL PROTECTED] on behalf of Tom Kern
Sent: Wed 8/17/2005 5:22 PM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] exchange weirdeness

thanks a lot!!

On 8/17/05, Coleman, Hunter <[EMAIL PROTECTED]> wrote:
> For folks who have already left, I'd go with granting "Self" full
> mailbox access. I haven't tested it, but if the account has already been
> disabled then I don't think that setting it to expire on a date in the
> past will restore the necessary mailbox permissions for you to access
> it.
>
> For future departures, I think the ideal thing is to have some sort of
> deprovisioning utility that handles disabling the account, possibly
> moving it to a different OU, sets the Self mailbox access, and any other
> rules that your business processes dictate. You could have that as a
> script or front-end it with a web page.
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]] On Behalf Of Tom Kern
> Sent: Wednesday, August 17, 2005 2:06 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [ActiveDir] exchange weirdeness
>
> so, what is a good practice to deal with user's who have left and their
> mailboxes?
>
> Should you just expire the account to a date in the past and then you
> can access their box?
> or can you give "Self" full mailbox access to a disabled account and
> then access the box?
>
> which way works?
> thanks alot
>
> On 8/17/05, Coleman, Hunter <[EMAIL PROTECTED]> wrote:
> > No. You're running into the msExchMasterAccountSID problem.
> > http://support.microsoft.com/default.aspx?scid=kb;en-us;555410 has
> > information, and points to the NoMAS tool. You can also handle this by
>
> > setting the attributes manually or via script.
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED]] On Behalf Of Tom Kern
> > Sent: Wednesday, August 17, 2005 12:48 PM
> > To: activedirectory
> > Subject: Re: [ActiveDir] exchange weirdeness
> >
> > update- i enabled the user account about 30mins ago and updated the
> RUS.
> > stilll  i get denied trying to log on via outlook and an event id
> > 9548 gets logged on the exchange server everytime i try logging on,
> > stating that the account is still disabled...
> >
> > replication issue?
> >
> > dns is up and running. the only known issue is no connectivity to the
> > root. but the root has no users or mailservers.
> >
> > strange
> >
> > On 8/17/05, Tom Kern <[EMAIL PROTECTED]> wrote:
> > > I have mailbox enabled users in AD that have been disabled. However
> > > in
> >
> > > ESM, they are not marked as such. When i run the cleanup agent, they
>
> > > are still not marked as disabled.
> > >
> > > When i try to Exmerge the box, I get an access denied error(i have
> > > full exchange admin rights inherited from the org and full mailbox
> > > right on the user).
> > > Also, i can't open their box via outlook as well.
> > >
> > > My situation at this firm is as such- we have no network
> > > connectivity to the root(for about 2 wks. don't ask, long story..).
> > > The users are all in my child domain as are their mailboxes. the
> > > root
> > is empty.
> > >
> > > We are also running with netbios/tcp disabled forest wide.
> > >
> > > i know there are some issues with netbios being disabled and exmerge
>
> > > and ESM and outlook. Could this be a cause? I don't know the exact
> > > error you would get.
> > >
> > > I don't think having no connectivity to the root should be an issue.
> > > We have 4 dc's, 3 of which are gc's in the child domain.
> > >
> > > any advice would be great.
> > > thanks
> > >
> > List info   : http://www.activedir.org/Listaspx
> > List FAQ    : http://www.activedir.org/ListFAQ.aspx
> > List archive:
> > http://www.mail-archive.com/activedir%40mail.activedir.org/
> > List info   : http://www.activedir.org/Listaspx
> > List FAQ    : http://www.activedir.org/ListFAQ.aspx
> > List archive:
> > http://www.mail-archive.com/activedir%40mail.activedir.org/
> >
> List info   : http://www.activedir.org/Listaspx
> List FAQ    : http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/Listaspx
> List FAQ    : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info   : http://www.activedir.org/Listaspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/