RE: [ActiveDir] Effectively Disable Accounts
Let me guess, the errors were 9548's for disabling accounts that still had active mailboxes? The MS "proper" way of correcting this is documented here. It is something you can do programmatically. http://support.microsoft.com/Default.aspx?kbid=278966 Basically the issue is an Exchange issue where the Exchange Dev folks figured that the only reason someone would have a live mailbox on a disabled ID would be for a resource mailbox, so they make all sorts of assumptions around disabled user ids that are mailbox enabled. This blows up in their face because if the account is really just a user you no longer want to be able to log on but you don't want to delete the mailbox [1] for many many good reasons you wouldn't normally think to set MSEMAS so it dorks Exchange up and if you get enough of this you start experience Store hangs. This is a huge problem in companies with large Exchange deployments. Hopefully one day MS Exchange Dev will correct this design flaw. I expect Exchange 12 will correct all the current flaws due to bad assumptions and spawn a whole new set based on other bad assumptions to deal with. :o) joe [1] Yes I understand retention store but I also understand that MS didn't give a realistic programmatic reconnect method and doesn't allow disconnected mailboxes to be moved if needed. The reconnect is a half-ass WMI mechanism that I see no reason why they did it the way they did it. Works great in a small environment but reconnects in a small environment isn't usually that great of an issue in the first place. Makes me want to say that the Exchange developers shouldn't be allowed to develop on anything but large 100+ Exchange Server labs and are forced to do support inside of MS on a monthly basis (say 1 week a month) to see how the environments are really managed. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott Sent: Wednesday, August 10, 2005 4:05 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Effectively Disable Accounts I've written a script that we use instead of disabling accounts when people leave. It prevents the account from being used, but also eliminates some errors we had with Exchange when we had a bunch of mailboxes tied to disabled accounts. Here it is, if anyone's interested. Thoughts? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Effectively Disable Accounts
My thoughts? Thanks for posting it. That's very kind of you. Very useful as well. If I were to make or suggest modifications, I would suggest that you add a logging feature, especially for the groups you are removing. I would also suggest that you make it accept either command line or text file input specifying the user vs. doing that to an entire OU. Or maybe all three as that likely works where you are? You could also rely on the mailstore being disconnected from the user object for X days (as set in your environment) and reanimation of the user object should it be needed as part of the process. That effectively gives you X days for Exchange mail data prior to cleanup, and up to currently 180 days for the AD user object. You would of course have to ensure that the necessary information for your environment was kept somehwere or modify the AD so that it keeps it so you can put that data back correctly. I'm a fan of keeping that data in off-line text file format but I'm sure there are other opinions as well. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott Sent: Wednesday, August 10, 2005 4:05 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Effectively Disable Accounts I've written a script that we use instead of disabling accounts when people leave. It prevents the account from being used, but also eliminates some errors we had with Exchange when we had a bunch of mailboxes tied to disabled accounts. Here it is, if anyone's interested. Thoughts? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
