Disabled users continue to receive mail in Exchange 2003 SP2

by Shijaz Abdulla on 29.10.2007 at 08:14

In the RTM version of Exchange 2003, if you disable an active directory user account, mail flow to the disabled user’s mailbox stops. To a sender, it is as though the mailbox doesn’t exist.

With service packs, this behaviour has been changed. Hotfixes 916783 and 903158 make changes to the store.exe as follows:

If the SELF SID is missing from the Mailbox permissions, store.exe checks to see if the msExchMasterAccountSID is populated (this is the same as before). If it is not populated, then store.exe will use the objectSID of the user account, which should always be present.

This is good news for some administrators and bad news for others.

The good news is that if you want to temporarily restrict a user from accessing his mailbox but do not want him to lose out on receiving important e-mail, this is now possible. Also, if an employee leaves the company and you would like to configure an Out of Office message stating that he is no longer working there and at the same time disable the account for security purposes, this is now possible.

The bad news is that the above is not good enough for some companies. They just want to disable the account and forget about it. In such cases, administrators can adjust the delivery restrictions for the disabled user and configure that the user receive mails *only from* his own account. Or, you can configure ‘prohibit send/receive’ at 0 KB. Or, you can simple change or remove the SMTP email address of the user.

Trackback Permanent Link

7 Responses to Disabled users continue to receive mail in Exchange 2003 SP2

  1. maximillian_x says:

    Good post – I’m new to Exchange 2003. My last company used Exchange 5.5, and they were migrating to Notes (don’t ask), so I’ve not had the experience of working with E2K3.

    I ran across this issue when I disabled a user, but my manager noted that he could still send email to that user.

    In E5.5, I could disable the AD account, then hide the mailbox, and this seemed to work (but is not the case with E2K3, apparently).

    If I really wanted to delete his mailbox, would deleting the account do this, or do I have to do something different?

    Oh – and I am looking into some E2K3 resources… 🙂 Thanks – and drop by my blog sometime!


  2. Shijaz Abdulla says:

    If you try to delete the user account from the AD users & computers snap in on an Exchange server (or a computer where the Exchange admin tools are installed), you will be prompted if you would like to delete the mailbox as well.

  3. Bryan says:

    Deleting the account is sometimes not an option.

    As common practice, when I disable an account I remove them from all Distro/Security Groups, Hide their exchange address and remove all SMTP/X400 entries (with the exception of the primary SMTP address) and change the address to: *First Initial*DISABLED*Last Initial*

    I only change their SMTP account when I know we no longer need to accept mail from this user.

  4. Tejas Suthar says:

    good article – I am very new to Exchange 2007, I am developing a mobile device application. I need to use disabled Resource accounts in disable mode in AD. I use a user mailbox that have full access permission to these resource accounts. I am able to read calender and create appointment. But with this set up I am not able to send email using these resource mailbox which is disable in AD.

    Do you know any alternative for this ?

  5. Pingback: Can a user account that is disabled in Active Directory still receive email? - Admins Goodies

  6. Pingback: Disabled users continue to receive mail in Exchange 2003 SP2 « ntanvinh144289

Leave a Reply