Blocking a user's email access

In the following tip from "15 tips in 15 minutes: Managing recipients and distribution lists," you'll learn how to block a user's email access in Exchange including how to disable the user's Active Directory account, remove the user's mailbox and selected access protocols.

It sometimes happens that a user needs educating that access to corporate email is a privilege, not a right, and that you can revoke this privilege if it gets used improperly. For example, consider a user who sends an email to the entire GAL announcing that the user's manager is capable of performing certain improbable acts of personal gymnastics. If the user retains his or her job, you might want to restrict the user's email access...

for a while. Exchange offers a variety of alternatives for temporarily or permanently removing a user's email access.

Disable the user's Active Directory account

One particularly draconian way to block a user from getting access to a mailbox is to disable the entire user account, as shown in Figure 5.51. Users who have been denied access to the network cannot access their email through any client protocol, including HTTP/WebDAV (Outlook Web Access) and POP3/IMAP4.

This option has the unfortunate (depending on your perspective) result of causing Exchange to bounce any incoming messages to the user. This sometimes causes a problem when the user interacts with customers or vendors. If this is the case, use one of the other options or refer to Microsoft Knowledge Base article 278966 for hints on avoiding message bounces.

Figure 51
Figure 5.51 User properties in Active Directory showing Account Disabled flag. (Click on image for enlarged view.)

Remove the user's mailbox

You can remove the link between a user's object in Active Directory and the user's mailbox in Exchange by using the Delete Mailbox option in the Exchange Task Wizard. Right-click the user's object in Active Directory Users and Computers, select Exchange Tasks from the flyout menu, and then select Delete Mailbox from the list of tasks. (You can access this same task list from the property menu for a mailbox in Exchange System Manager.) Figure 5.52 shows an example.

The Delete Mailbox option results in the removal of the user's name from the Global Address List, the digital equivalent of banishment. Users sometimes get perturbed when you do this to them. Get written permission first.

By default, deleting a user's mailbox does not actually delete the user's messages in the mailbox store. Exchange retains a user's mailbox for 30 days, by default, before deleting the mailbox and its contents. (This value can be changed. See "Deleted Mailbox Retention" later in this chapter.) Any mail sent to the SMTP address of a deleted user gets bounced with a "Recipient Not Found" message.

Figure 52
Figure 5.52 Exchange Task Wizard showing option to delete user's mailbox. (Click on image for enlarged view.)

Deny access permission to the user's mailbox

If you want the user to continue to receive mail but you don't want the user to read that mail, you can block access using mailbox permissions.

Open the Properties window for a user, select the Exchange Advanced tab then click Mailbox Rights. The Permissions window for the selected user opens with the Mailbox Rights tab selected, as shown in Figure 5.53.

Figure 53
Figure 5.53 Mailbox Rights window for user mailbox showing how to remove Full Mailbox Access from user. (Click on image for enlarged view.)

The permission list contains an entry called SELF. This well-known SID acts as a placeholder for the user account represented by the Active Directory object where the ACL resides.

Uncheck the Allow option for SELF and click OK to save the setting. By removing the Allow permission for SELF, the user continues to appear in the GAL and can still receive mail, but the user cannot access his or her messages.

Remove selected access protocols

Users can access their mailboxes using any of the supported client protocols -- MAP , POP3, IMAP4, and HTTP -- as long as the corresponding service has been enabled at the Exchange server. A user can always make a MAPI connection using Outlook, but you can restrict access by the other protocols.

To change the protocol setting for a user, open the user's Properties window in Active Directory Users and Computers and select the Exchange Features tab, as shown in Figure 5.54.

Figure 54
Figure 5.54 User Properties window in Active Directory showing that Exchange Features can be enabled and disabled individually. (Click on image for enlarged view.)

If you only want a particular set of users to access Exchange using OWA, you can disable the protocol for all other users.

You can also use the Properties of a particular protocol to determine whether Exchange uses Multipurpose Internet Mail Extensions (MIME) with HTML message bodies or plain text. The Plain Text option prevents potentially harmful HTML content from getting delivered to a user.

Remove the user's Exchange configuration

If you get into a situation where Exchange refuses to remove the link between a mailbox and a user account due to a configuration error, you can elect to remove all Exchange attributes from the user object using an Exchange Task Wizard option called Remove Exchange Attributes (shown in Figure 5.55).

Figure 55
Figure 5.55 Exchange Task Wizard showing option to Remove Exchange Attributes entirely. (Click on image for enlarged view.)

If you take this action, the user loses mailbox access, but the mailbox remains in the store where you can link it to the same or another user. Use this option only if the attempt to delete the mailbox using the Delete Mailbox option fails.


15 tips in 15 minutes: Managing recipients and distribution lists
 
Home: Introduction
Tip 1: Exchange security groups
Tip 2: Group membership expansion
Tip 3: Managing Exchange group email properties
Tip 4: Exchange 2003 Query-Based Distribution Groups
Tip 5: DSAccess for Exchange
Tip 6: DSProxy for Exchange
Tip 7: Managing Exchange recipient policies
Tip 8: Exchange Recipient Update Service and proxy addresses
Tip 9: Restricting mail storage on an Exchange server
Tip 10: The Exchange server mailbox management service
Tip 11: Blocking a user's email access
Tip 12: Accessing another user's mailbox in Outlook
Tip 13: Exchange mail retention
Tip 14: Managing recipients with system policies
Tip 15: Managing recipients with Global Settings
 

This chapter excerpt from Learning Exchange Server 2003 by William Boswell is printed with permission from Addison-Wesley Professional, Copyright 2004. Click here for the chapter download or to purchase the book.

Dig deeper on Microsoft Exchange Server Mailbox Management

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchWindowsServer

SearchEnterpriseDesktop

SearchCloudComputing

SearchSQLServer

Close