+1 I just discovered that one of our guys did the same thing two weeks ago when a director level user at a client got let go. user had access via BB for a week and a half.
Bill Kurt Buff wrote: > Indeed, you are correct. > > I just ran into this today. > > One of my minions was given the task of following through on the > termination of an employee last week, and he failed to take this into > account. > > I went to the BES (BPS actually, but that's close enough) and deleted > the user account in the BB system. We're allowing the termed employee > to keep the device, and it was considered a bit rude to disable the > phone while they're still considered technically on leave. > > I'll be reviewing termination procedures and the checklist with them > tomorrow... > > Kurt > > On Wed, Feb 16, 2011 at 14:09, Michael B. Smith <mich...@smithcons.com> wrote: > >> Actually, because BESADMIN is the account using MAPI, not the end-user >> account, I don’t think disabling MAPI is going to do a darn thing here. >> >> >> >> Removing Exchange attributes is the way to go. >> >> >> >> (Sorry, I didn’t think of that. I’m not a BES expert, I just play one on >> TV.) >> >> >> >> Regards, >> >> >> >> Michael B. Smith >> >> Consultant and Exchange MVP >> >> http://TheEssentialExchange.com >> >> >> >> From: Michael B. Smith [mailto:mich...@smithcons.com] >> Sent: Wednesday, February 16, 2011 5:05 PM >> To: NT System Admin Issues >> Subject: RE: Disabled AD Accounts and BES >> >> >> >> BES uses MAPI, yes. But if you want to prevent ActiveSync and OWA access, >> you also need to turn those off. >> >> >> >> Regards, >> >> >> >> Michael B. Smith >> >> Consultant and Exchange MVP >> >> http://TheEssentialExchange.com >> >> >> >> From: Jonathan Link [mailto:jonathan.l...@gmail.com] >> Sent: Wednesday, February 16, 2011 5:01 PM >> To: NT System Admin Issues >> Subject: Re: Disabled AD Accounts and BES >> >> >> >> Moving forward, I would make wiping the device for terminated users an >> SOP... And consider doing it now. >> >> >> >> On Wed, Feb 16, 2011 at 3:07 PM, Harry Singh <hbo...@gmail.com> wrote: >> >> Ahh. Thanks Michael. >> >> >> >> I'll make sure the team updates their documentation to either remove >> Exchange Attributes -- which I assume isn't too difficult to add back on in >> the event the user returns -- or disable certain mailbox features. To >> confirm, in regard to BES, if i disable the MAPI function, that should >> suffice right? >> >> >> >> Harry. >> >> >> >> On Wed, Feb 16, 2011 at 2:56 PM, Michael B. Smith <mich...@smithcons.com> >> wrote: >> >> Disabling a user doesn’t stop its mailbox from receiving or sending email. >> That is a specific required use-case in cross-forest scenarios. >> >> >> >> You need to disable their access via the mailbox features (MAPI and OWA and >> EAS are the top-3) or remove Exchange attributes from the account. >> >> >> >> Regards, >> >> >> >> Michael B. Smith >> >> Consultant and Exchange MVP >> >> http://TheEssentialExchange.com >> >> >> >> From: Harry Singh [mailto:hbo...@gmail.com] >> Sent: Wednesday, February 16, 2011 2:50 PM >> To: NT System Admin Issues >> Subject: OT: Disabled AD Accounts and BES >> >> >> >> All - >> >> >> >> There is a suspicion that a recently terminated employe's credentials might >> still be in use on the network. (Disclaimer: I don't handle user >> termination/creation) Since the user had multiple computers, I thought it >> may be possible that an outlook session and of course windows session >> remained logged in while the account was disabled. But I confirmed that >> wasn't the case. We confirmed that the user's BB was still in service on the >> BES console. It turns out that the user may still have been accessing >> corporate e-mail from the BB, my question then is: How is it possible that >> by disabling an AD account (changed the p/w as well) can BES still operate >> normally ? What are your procedures/steps for user terminations/exits? >> >> >> >> >> >> Environment:AD 2003 R2 / Exchange 2K10 / BES 5.0 >> >> >> >> Thanks, >> >> >> >> Harry. >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to listmana...@lyris.sunbeltsoftware.com >> with the body: unsubscribe ntsysadmin >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to listmana...@lyris.sunbeltsoftware.com >> with the body: unsubscribe ntsysadmin >> >> >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to listmana...@lyris.sunbeltsoftware.com >> with the body: unsubscribe ntsysadmin >> >> >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to listmana...@lyris.sunbeltsoftware.com >> with the body: unsubscribe ntsysadmin >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to listmana...@lyris.sunbeltsoftware.com >> with the body: unsubscribe ntsysadmin >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to listmana...@lyris.sunbeltsoftware.com >> with the body: unsubscribe ntsysadmin >> > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
