Exchange 2007 Quick Tip: Find disabled AD users with active mailboxes and stop their email
Doing a little cleanup today and needed to check who was "disabled" in AD but still had mailboxes on our Exchange server. In case you weren't aware, Exchange mailboxes remain active even if the user is disabled. As part of how we do things, we keep mailboxes around for a looooong time because people tend to leave/retire then come back on a temp basis. So when they return, they have all their old emails available. So, first let's compare AD w/ Exchange and get a list of folks... (source for the code below)
Download Quest powershell. Run the PS query below > get-qaduser -includedproperties altrecipient, homeMDB -disabled | select-object -property "name", "description" , "altrecipient", "homeMDB" > c:\mailboxes.csv Then sort by HomeMDB.
Now you have a list of folks to work with. The next step if you want to stop email flowing to that mailbox is to do one of a couple things ( there's some other options too) -you can either restrict who can send email to that address (say a dummy account in your organization only) which will prevent anyone else sending to that mailbox or you can change the primary SMTP address to something else and the original address will cause a non-deliverable.
What's the difference? Not much. If you restrict who can email you will get the following NDR:
Your message wasn't delivered because of security policies. Microsoft Exchange will not try to redeliver this message for you. Please provide the following diagnostic text to your system administrator. #550 5.7.1 RESOLVER.RST.NotAuthorized; not authorized ##
If you change the primary address to something else you will get this:
The recipient's e-mail address was not found in the recipient's e-mail system. Microsoft Exchange will not try to redeliver this message for you. Please check the e-mail address and try resending this message, or provide the following diagnostic text to your system administrator. #550 5.1.1 RESOLVER.ADR.RecipNotFound; not found ##
I personally prefer the address not found. That to me is a little more definitive and doesn't say oops you can't do that, please call me and ask for permission to do it. It says oops, that address is wrong, check it and make sure you're sending to someone who is still here. My standard format for changing addresses is to leave the username and add in _DISABLED. So the new address looks like: [email protected].
Then if you want to easily find everyone who has a disabled email... the search is like this:
> Get-Recipient -ResultSize Unlimited -Filter "EmailAddresses -like '*[email protected]' -And RecipientType -eq 'UserMailbox'"