It sometimes happens that a user needs educating that access to corporate email is a privilege, not a right, and that you can revoke this privilege if it gets used improperly. For example, consider a user who sends an email to the entire GAL announcing that the user's manager is capable of performing certain improbable acts of personal gymnastics. If the user retains his or her job, you might want to restrict the user's email access for a while. Exchange offers a variety of alternatives for temporarily or permanently removing a user's email access.
Disable the user's Active Directory account
- You are reading tip #11 from "15 tips in 15 minutes: Managing recipients and distribution lists," excerpted from Chapter 5 of the book Learning Exchange Server 2003, published by Addison-Wesley Professional.
One particularly draconian way to block a user from getting access to a mailbox is to disable the entire user account, as shown in Figure 5.51. Users who have been denied access to the network cannot access their email through any client protocol, including HTTP/WebDAV (Outlook Web Access) and POP3/IMAP4.
This option has the unfortunate (depending on your perspective) result of causing Exchange to bounce any incoming messages to the user. This sometimes causes a problem when the user interacts with customers or vendors. If this is the case, use one of the other options or refer to Microsoft Knowledge Base article 278966 for hints on avoiding message bounces.
Remove the user's mailbox
You can remove the link between a user's object in Active Directory and the user's mailbox in Exchange by using the Delete Mailbox option in the Exchange Task Wizard. Right-click the user's object in Active Directory Users and Computers, select Exchange Tasks from the flyout menu, and then select Delete Mailbox from the list of tasks. (You can access this same task list from the property menu for a mailbox in Exchange System Manager.) Figure 5.52 shows an example.
The Delete Mailbox option results in the removal of the user's name from the Global Address List, the digital equivalent of banishment. Users sometimes get perturbed when you do this to them. Get written permission first.
By default, deleting a user's mailbox does not actually delete the user's messages in the mailbox store. Exchange retains a user's mailbox for 30 days, by default, before deleting the mailbox and its contents. (This value can be changed. See "Deleted Mailbox Retention" later in this chapter.) Any mail sent to the SMTP address of a deleted user gets bounced with a "Recipient Not Found" message.
Deny access permission to the user's mailbox
If you want the user to continue to receive mail but you don't want the user to read that mail, you can block access using mailbox permissions.
Open the Properties window for a user, select the Exchange Advanced tab then click Mailbox Rights. The Permissions window for the selected user opens with the Mailbox Rights tab selected, as shown in Figure 5.53.
The permission list contains an entry called SELF. This well-known SID acts as a placeholder for the user account represented by the Active Directory object where the ACL resides.
Uncheck the Allow option for SELF and click OK to save the setting. By removing the Allow permission for SELF, the user continues to appear in the GAL and can still receive mail, but the user cannot access his or her messages.
Remove selected access protocols
Users can access their mailboxes using any of the supported client protocols -- MAP , POP3, IMAP4, and HTTP -- as long as the corresponding service has been enabled at the Exchange server. A user can always make a MAPI connection using Outlook, but you can restrict access by the other protocols.
To change the protocol setting for a user, open the user's Properties window in Active Directory Users and Computers and select the Exchange Features tab, as shown in Figure 5.54.
If you only want a particular set of users to access Exchange using OWA, you can disable the protocol for all other users.
You can also use the Properties of a particular protocol to determine whether Exchange uses Multipurpose Internet Mail Extensions (MIME) with HTML message bodies or plain text. The Plain Text option prevents potentially harmful HTML content from getting delivered to a user.
Remove the user's Exchange configuration
If you get into a situation where Exchange refuses to remove the link between a mailbox and a user account due to a configuration error, you can elect to remove all Exchange attributes from the user object using an Exchange Task Wizard option called Remove Exchange Attributes (shown in Figure 5.55).
If you take this action, the user loses mailbox access, but the mailbox remains in the store where you can link it to the same or another user. Use this option only if the attempt to delete the mailbox using the Delete Mailbox option fails.
15 tips in 15 minutes: Managing recipients and distribution lists
Tip 1: Exchange security groups
Tip 2: Group membership expansion
Tip 3: Managing Exchange group email properties
Tip 4: Exchange 2003 Query-Based Distribution Groups
Tip 5: DSAccess for Exchange
Tip 6: DSProxy for Exchange
Tip 7: Managing Exchange recipient policies
Tip 8: Exchange Recipient Update Service and proxy addresses
Tip 9: Restricting mail storage on an Exchange server
Tip 10: The Exchange server mailbox management service
Tip 11: Blocking a user's email access
Tip 12: Accessing another user's mailbox in Outlook
Tip 13: Exchange mail retention
Tip 14: Managing recipients with system policies
Tip 15: Managing recipients with Global Settings
This chapter excerpt from Learning Exchange Server 2003 by William Boswell is printed with permission from Addison-Wesley Professional, Copyright 2004. Click here for the chapter download or to purchase the book.