9

In Exchange 2010, if an AD user is disabled but another user has access to their mailbox, will they still be able to access the mailbox or does that user need to remain enabled for this functionality to work?

Windows Ninja
  • 2,546
  • 18
  • 46
  • 70
  • 1
    If I'm providing an ex-employee's manager with access to their mailbox after they leave the company, what would the best practice for that be? I've been doing it currently by re-enabling the AD user account and changing their password to prevent them from accessing it...is there a better way to go about doing this? – Windows Ninja Feb 28 '12 at 16:07
  • We've had some goofy things happen when disabling mailboxes...can't remember the problem offhand, but we ended up just using a note in their account saying they're disabled and changing the password as well. – Bart Silverstrim Feb 28 '12 at 16:33
  • My bad, didn't read the tag. I was referring to Exchange 2003, although I believe there was a hotfix related to disabled mailboxes that allowed them to recieve email and be accessed. In any event, we usually leave the user account enabled and change the password. – joeqwerty Feb 28 '12 at 16:48
  • @joqwerty There is a hotfix (#916783)(http://support.microsoft.com/kb/903158/en-us) in Exchange 2003 that allows that. :)! – Ethabelle Feb 28 '12 at 20:20
  • Ethabelle: thanks for confirming that and thanks for the link. :) – joeqwerty Feb 29 '12 at 12:44

2 Answers2

21

If you disable a user in AD, their mailbox still exists and you should still be able to access the mailbox because AD simply controls the authentication, but the permissions to the mailbox will still exist. At least, that was how it was in 2003. I haven't had the opportunity to work with 2010, but I assume the functionality would be similar in this regard and easily testable.

enter image description here

You can also connect the mailbox to someone else's account. I'm going to link you to this technet article that can give you some ideas on what will be easiest for you; technet article!

There are three operations you can perform on a disabled mailbox:

Connect it to an existing user account in Active Directory Restore it to a new or existing user account in Active Directory Permanently delete it from the Exchange mailbox database

A side note to this is this applies to disabled AD accounts as well.

Ethabelle
  • 2,032
  • 14
  • 20
  • 3
    Yep, still works this way. Heck, you can delete the AD user and the mailbox is still there... – Chris S Feb 28 '12 at 16:36
3

In response to LunizWVU's question that he posited in the comment thread about the best practices to allow a manager to see a user's mailbox after they've been disabled, one of the best ways to handle this is to give the manager user rights to open the other user's mailbox. Below is an excerpt from http://technet.microsoft.com/en-us/magazine/ff381460.aspx:

Adding full access permissions



Syntax 
Add-MailboxPermission -Identity UserBeingGrantedPermission -User UserWhoseMailboxIsBeingConfigured -AccessRights 'FullAccess' 

Usage 
Add-MailboxPermission -Identity 'CN=Jerry Orman,OU=Engineering,DC=cpandl,DC=com' -User 'CPANDL\boba' -AccessRights 'FullAccess' 

Removing full access permissions


Syntax 
Remove-MailboxPermission -Identity 'UserBeingGrantedPermission' -User 'UserWhoseMailboxIsBeingConfigured' -AccessRights 'FullAccess' 
-InheritanceType 'All' 

Usage 
Remove-MailboxPermission -Identity 'CN=Jerry Orman, OU=Engineering,DC=cpandl,DC=com' -User 'CPANDL\boba' -AccessRights 'FullAccess' 
-InheritanceType 'All'

Peter Grace
  • 3,446
  • 1
  • 26
  • 42