In Part I, I provided information regarding users’ mobile devices still being able to synchronize with Exchange (via ActiveSync) even after their AD Accounts have been disabled. I included related best practices on how to stop devices from syncing as quickly as possible.
Here, in Part II, I’m going to discuss a similar issue with Outlook and OWA and the best practices on how to deal with them. Be aware that in many places I will only mention “OWA”, this information is also applicable to all web-service related Exchange connectivity such as EWS (used by Outlook for Mac 2011, etc) and Outlook Anywhere. Best wifi extender for mac.
To recap the issue I’m referring to:
Many companies simply disable the AD Account when an employee is terminated and assume that very quickly (e.g. within a couple of minutes) the user will no longer be able to access any Windows Authentication-based resources, including Exchange through any of its access methods, because the AD Account has been disabled. Unfortunately, that is NOT correct. For many hours after the AD Account has been disabled, users may be able to continue accessing Exchange and be able to send, receive, etc. This happens for a number of reasons (which I’ll discuss below) and can become a huge issue, especially when dealing with terminated employees who have been “walked out the door”.
Why does this happen?What Microsoft Account Is My Mac Logged Into My Password
One of the benefits of having a Microsoft account is having a single password to sign into all your Microsoft services. Microsoft accounts are most often associated with Office for home products. For more information about Microsoft accounts and how to manage them. Use a Microsoft account that is connected to the license that you wish to use. If you do not have a Microsoft account, see How do I sign up for an account. If you do decide not to log in straight away, you'll be able to use an evaluation copy for 30 days. After 30 days you must log in to continue using your copy of Visual Studio for Mac.
First and foremost, in order to scale and be efficient, a lot of caching goes on within IIS and Exchange. IIS plays a major role here as the Exchange-based web services run under IIS. Besides the caching in IIS, Exchange also does its own caching…more than just data caching in memory, but active connections to the store (Exchange 2007) or RPCClientAccess (Exchange 2010) are cached for up to 2 hours which effects the authentication of Outlook MAPI (RPC) connections.
The main component/feature of IIS involved is User Token Caching in IIS. The default is 15 minutes, and so if a connection is made within 15 minutes of the last connection the cached token information is reused instead of checking with AD. You can adjust this value (see KB152526), but be aware that reducing this time will put additional load on the DCs and depending on open connections may still not go into effect quickly. Uc-one communicator mac download. Also, be aware that while Internet Explorer (IE) will very strictly follow this, other browsers have been found to NOT do so and so this can mean other browsers may continue to provide access when IE no longer does.
Best Practices to Follow Regarding Disabling User Access
Here are the best practices related to Outlook and OWA:
Download microsoft 365 for mac. For Exchange 2007:
Set-CASMailbox -Identity <user> -OwaEnabled $false
For Exchange 2010:
Set-CASMailbox -Identity <user> -OwaEnabled $false
Set-CASMailbox -Identity <user> -EwsEnabled $false
Microsoft rdp client for mac. Set-CASMailbox -Identity <user> -EwsEnabled $false
Set-CASMailbox -Identity <user> -EcpEnabled $false
For Exchange 2007:
Set-CASMailbox -Identity <user> -MapiEnabled $false
Set-CASMailbox -Identity <user> -MapiBlockOutlookRpcHttp $true
For Exchange 2010: Is it free to download windows 10 on mac.
Set-CASMailbox -Identity <user> -MapiEnabled $false
Set-CASMailbox -Identity <user> -MapiBlockOutlookRpcHttp $true
What Microsoft Account Is My Mac Logged Into Windows 7
Set-CASMailbox -Identity <user> -EwsAllowMacOutlook $false
Set-CASMailbox -Identity <user> -EwsAllowOutlook $false
Set-Mailbox -Identity <user> -RecipientLimits 0
Note: It’s understood that some companies leave the mailboxes enabled to receive email so that OOF/automatic responses can be generated or so that no emails to the address are not blocked. If this is the case, it’s recommended that you disable the mailbox for approximately 30m-1h and then enable again. This will allow time for the change to go into effect and stop allowing clients to access. This solution is in lieu of disabling as outlined above.
Just like I stated about the steps yesterday, implementing the above steps are NOT instantaneous! It can take around 5-10 minutes for the disabling of the protocols and/or settings to go into effect, and that’s from the time that the change is replicated to all the DC/GCs used. Obviously, if you make the changes against a DC/GC in another site and it has to replicate to the Internet-facing Exchange site(s) more time is needed. The other settings can take up to 20 minutes to go into effect due to caching.
You may notice that while we recommend setting –RecipientLimits on the mailbox, we do NOT mention setting the Send and Receive Quota settings. This is because the RecipientLimits changes go into effect very quickly whereas changing the Send and Receive Quota settings do not. While you can change the Send and Receive quotas as well, as it relates to this issue it is not a recommended workaround and won’t help in the short-term.
One option I did not mention yesterday, which is a workaround that works for ALL the connection methods (ActiveSync, OWA and Outlook) is to MOVE the mailbox. Not really a great option (especially if dealing with a very large mailbox and/or you have no place to move it to). But if the mailbox gets moved it causes all the existing connections to be reset (Note: this doesn't happen until the 2nd phase of the Online Mailbox Move process in Exchange 2010…it happens immediately with Exchange 2007 as Exchange 2007 does NOT have Online Mailbox Moves).
I’d be remiss to not mention another option related to web-based services (including ActiveSync) which would remove the caching impact is to bounce the IIS service (e.g. IISRESET), which clears all caches and reset all connections due to service restart. However, this would be required on ALL Exchange CAS servers possibly used and would impact many (if not all) users. Obviously, not a good solution…but in an urgent situation could be used and would go into effect the quickest.
A follow-up question I received is also whether changing the password on the AD account would help. The answer is, no. You may notice that after a user’s password is changed both the old and new password may work for some time and/or the new password doesn’t start working right away. This is because the old token, which was validated and gets cached (see above), is still considered valid and continues to work.
One account. One place to manage it all. Welcome to your account dashboard.
New to Microsoft?
Get started with Microsoft products and more.
Learn more
Security
https://newprod383.weebly.com/blog/download-them-all-mac-safari. Change a password, update security information, and keep vital account details up-to-date.
Privacy
Review your search history, browsing and location activity, and more.
Family
Keep your family safer online and stay connected even when you’re apart.
Payments & billing
Update your payment information, check your order history, redeem gift cards, and get billing help.
Subscriptions
Quickly renew and manage your favorite Microsoft subscriptions and services in one place.
Devices
Find, lock, or erase a lost or stolen Windows 10 device, schedule a repair, and get support.
Help
Get expert answers and advice on Microsoft products and services.
Just sign in and go
Access your favorite Microsoft products and services with just one login. From Office and Windows to Xbox and Skype, one username and password connects you to the files, photos, people, and content you care about most.
Outlook
Email and calendar together. All you need to be your most productive and connected self—at home, on the go, and everywhere in between.
Learn more
Skype
Skype’s text, voice and video make it simple to get closer to the people who matter most across all of your devices.
Learn more
Microsoft Edge
The faster way to get things done on the web with built-in features for staying organized, researching, and discovering.
Learn more
Bing
Intelligent search features make it quick and easy to find what you need – answers, news, entertainment, and more.
Learn more
Xbox
Play your favorite games in more places than ever. Easily access your games, friends, and community across Xbox One, Windows 10 PC, and mobile.
Learn more
Office
Achieve what matters to you with Word, Excel, PowerPoint, and more. What will you do with your next 365?
Learn more
OneDrive
Safely store and access your files and photos on all your devices. Your Microsoft account comes with 5GB of storage and the option to add more when you need it.
Learn more
Windows
Find, lock, or erase a lost or stolen Windows 10 device, schedule a repair, and get support.
Learn more
Mixer
Mixer is where gamers come together to play, celebrate, and share the best moments in gaming.
Learn more
Microsoft Store
Experience all that’s possible with Microsoft, from the best in productivity and creativity to gaming and entertainment.
Learn more
Cortana
Save time and stay organized—Cortana helps handle day-to-day tasks so you can stay on top of what matters most. Logitech setpoint for mac download.
What Microsoft Account Is My Mac Logged Into AccountLearn moreWhat Microsoft Account Is My Mac Logged Into My EmailMSNWhat Microsoft Account Is My Mac Logged Into My Account
With MSN, the information that enriches your life is accessible every moment of every day.
What Microsoft Account Is My Mac Logged Into FacebookLearn moreComments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
December 2020
Categories |