Exch2007: Server-side mailbox rules still run with account disabled

Hi,

It looks like this may be alarming be an alarming flaw in Exchange
security at least for my company's processes in regards to term'ed
employee mailboxes.  If somebody sets up a server-side rule that
forwards all their incoming to an external address, that rule stays
active even after disabling the mailbox.  Is there a way to prevent
this globally, or are we going to need to manually go into every
single mailbox of people who leave the company and clear rules?
Thanks.

PVD
0
Peter
6/25/2010 6:16:08 PM
exchange.admin 57650 articles. 2 followers. Follow

7 Replies
1081 Views

Similar Articles

[PageSpeed] 29

Hello:

You can disallow automatic forwarding of e-mails to external addresses 
globally, but I'm not aware of anything to automatically delete or disable 
rules when an account is disabled.

There's a legitimate reason for allowing rules on disabled 
accounts/mailboxes. If you set up a resource mailbox (which has a disabled 
AD account), you might need to set up some rules on that.

-- 
Regards,
M
MCTS, MCSA
http://SysAdmin-E.com

"Peter Venkman" <pauldi@iona.com> wrote in message 
news:0130ecc4-d662-4222-b3ef-4becfa00d715@b35g2000yqi.googlegroups.com...
> Hi,
>
> It looks like this may be alarming be an alarming flaw in Exchange
> security at least for my company's processes in regards to term'ed
> employee mailboxes.  If somebody sets up a server-side rule that
> forwards all their incoming to an external address, that rule stays
> active even after disabling the mailbox.  Is there a way to prevent
> this globally, or are we going to need to manually go into every
> single mailbox of people who leave the company and clear rules?
> Thanks.
>
> PVD 


0
M
6/25/2010 8:23:17 PM
On Fri, 25 Jun 2010 11:16:08 -0700 (PDT), Peter Venkman
<pauldi@iona.com> wrote:

>It looks like this may be alarming be an alarming flaw in Exchange
>security at least for my company's processes in regards to term'ed
>employee mailboxes.  If somebody sets up a server-side rule that
>forwards all their incoming to an external address, that rule stays
>active even after disabling the mailbox.  Is there a way to prevent
>this globally, or are we going to need to manually go into every
>single mailbox of people who leave the company and clear rules?
>Thanks.

Delete the mailbox. Done!
---
Rich Matheisen
MCSE+I, Exchange MVP
0
Rich
6/25/2010 9:12:12 PM
What if you set the send/receive mail settings to zero on the users profile, 
would that prevent emails from being forwarded via a rule?

"Rich Matheisen [MVP]" wrote:

> On Fri, 25 Jun 2010 11:16:08 -0700 (PDT), Peter Venkman
> <pauldi@iona.com> wrote:
> 
> >It looks like this may be alarming be an alarming flaw in Exchange
> >security at least for my company's processes in regards to term'ed
> >employee mailboxes.  If somebody sets up a server-side rule that
> >forwards all their incoming to an external address, that rule stays
> >active even after disabling the mailbox.  Is there a way to prevent
> >this globally, or are we going to need to manually go into every
> >single mailbox of people who leave the company and clear rules?
> >Thanks.
> 
> Delete the mailbox. Done!
> ---
> Rich Matheisen
> MCSE+I, Exchange MVP
> .
> 
0
Utf
6/28/2010 3:05:37 PM
enable teh user account.   Change teh password.   log in as that 
user....delete rules.
Disable teh account.





"mikee" <mikee@discussions.microsoft.com> wrote in message 
news:32024EE8-D142-4248-8C2A-1568F321375A@microsoft.com...
> What if you set the send/receive mail settings to zero on the users 
> profile,
> would that prevent emails from being forwarded via a rule?
>
> "Rich Matheisen [MVP]" wrote:
>
>> On Fri, 25 Jun 2010 11:16:08 -0700 (PDT), Peter Venkman
>> <pauldi@iona.com> wrote:
>>
>> >It looks like this may be alarming be an alarming flaw in Exchange
>> >security at least for my company's processes in regards to term'ed
>> >employee mailboxes.  If somebody sets up a server-side rule that
>> >forwards all their incoming to an external address, that rule stays
>> >active even after disabling the mailbox.  Is there a way to prevent
>> >this globally, or are we going to need to manually go into every
>> >single mailbox of people who leave the company and clear rules?
>> >Thanks.
>>
>> Delete the mailbox. Done!
>> ---
>> Rich Matheisen
>> MCSE+I, Exchange MVP
>> .
>> 


0
John
6/28/2010 8:53:01 PM
Thanks all.

As for the legitimate reason for allowing rules on mailboxes, I'd
agree.  Resource mailboxes should certainly allow rules to be run
while disabled.  User mailboxes...  I don't agree with.  Since
Exchange 2007 differentiates between the two, I see it as a flaw.

Thanks for the rest of suggestions.  We have Forefront, so we can
filter outgoing mail through a blocked sender list.  It just adds an
extra step to the term process.  Unfortunately, we have to keep them
disabled but not deleted per company policy for 30 days and some have
server-side forwarding in place to managers/replacements.

PVD
0
Peter
6/29/2010 8:13:53 PM
Thanks all.

As for the legitimate reason for allowing rules on mailboxes, I'd
agree.  Resource mailboxes should certainly allow rules to be run
while disabled.  User mailboxes...  I don't agree with.  Since
Exchange 2007 differentiates between the two, I see it as a flaw.

Thanks for the rest of suggestions.  We have Forefront, so we can
filter outgoing mail through a blocked sender list.  It just adds an
extra step to the term process.  Unfortunately, we have to keep them
disabled but not deleted per company policy for 30 days and some have
server-side forwarding in place to managers/replacements.

PVD
0
Peter
6/29/2010 8:14:41 PM
Thanks all.

As for the legitimate reason for allowing rules on mailboxes, I'd
agree.  Resource mailboxes should certainly allow rules to be run
while disabled.  User mailboxes...  I don't agree with.  Since
Exchange 2007 differentiates between the two, I see it as a flaw.

Thanks for the rest of suggestions.  We have Forefront, so we can
filter outgoing mail through a blocked sender list.  It just adds an
extra step to the term process.  Unfortunately, we have to keep them
disabled but not deleted per company policy for 30 days and some have
server-side forwarding in place to managers/replacements.

PVD
0
Peter
6/29/2010 8:49:03 PM
Reply:

Similar Artilces:

Account Distribution of Costs
Hello all, What module do we have to have in order to charge lets say x dept for 20% of electric cause they have this many people or this much sq feet or whatever .. tia Brian wrote: > Hello all, What module do we have to have in order to charge lets say > x dept for 20% of electric cause they have this many people or this > much sq feet or whatever .. tia If you have the Financial module (General Ledger) you already have this functionality. Open the help and check out allocation accounts. -- Lyle U Allocation accounts are the way to go. These links might be easier than the he...

HELP
Why (&%¤#"!!!) are my macros in VBA not running? I have copied small Macros from reliable sources on the Internet to Modules in Excel, but I can't make them run?! What can I be doing wrong? One example: Sub DeleteBlankRows2() 'Deletes the entire row within the selection if _ some of the cells WITHIN THE SELECTION contain no data. On Error Resume Next Selection.EntireRow.SpecialCells(xlBlanks).EntireRow.Delete On Error GoTo 0 End Sub I just placed this macro into a REGULAR module and it ran fine by f5 at the macro. Where did you put it and how are you trying to exe...

signature, Outlook 2002, separate sigs for different mail accounts?
My wife and I use Outlook 2002 (SP3) for our e-mail. I created my own signature which also appears on her separate e-mails (from her own separate e-mail account). Is it possible to have _separate_ signatures for each individual e-mail account? I've looked everywhere in the program but I can't find a way to accomplish this. Is this possible .... or not? Thanks, Dave Horne with outlook 2002, only if you have separate windows account. -- Diane Poremsky [MVP - Outlook] Author, Teach Yourself Outlook 2003 in 24 Hours Need Help with Common Tasks? http://www.outlook-tips.net/beg...

windows live incoming mail server port number
what is the port number for incoming mail server for pop3.live.com 995 with SSL enabled. For an overview of the settings see; http://www.howto-outlook.com/faq/accountsettings.htm -- Robert Sparnaaij [MVP-Outlook] Coauthor, Configuring Microsoft Outlook 2003 http://www.howto-outlook.com/ Outlook FAQ, HowTo, Downloads, Add-Ins and more http://www.msoutlook.info/ Real World Questions, Real World Answers ----- "scoobasteve" <scoobasteve@discussions.microsoft.com> wrote in message news:78A98DF2-01DD-41D4-96E4-B2DA626D5920@microsoft.com... > what is ...

Outlook 2002 with Exchange mail account problem
The last days I'm having problems with the exchange accounts in Outlook 2002 (on an Exchange 5.5 server). I can't connect to the server with any Exchange account from an Outlook 2002 client even though the same configurations worked normally for more than a year and with any other account type I have no problem. I tryed a new Office installation but that didn't work too! The problem does not exist in Outlook 2000 clients! All Outlook clients are updated to the latest updates, but even without them the problem exists... Can anyone help me on this issue..or referee me to a ...

Run Time Error 3265: Item cannot be found in the collection
Hi guys, I have a problem that�s happening within a unique machine at work. This machine has Windows 98 and the application runs on various other machines with the same OS, but on this one it doesn�t work. For all similar machines that use the same application I installed Microsoft Visual Basic 6.0, the Oracle Client Service (8.0.5.0.0) and Crystal Reports 9. Besides this, on the problematica machine I have updated de MDAC and JET to it�s latest released version (for Win98) -- but still, it doesn�t work. I would like to know if I missed something. Can anything be done to get th...

Account Numbers not Displayed Correctly in Inquiry Window and Repo
When I perfrom a GL Summary Inquiry on an account number such as 03-03000-4100-000000 and then print the inquiry to the screen output or printer, the GL Account number is displayed incorrectly, as follows: 03-300- - (with a small box in the last segment) I found KB866297 which states this problem is caused by the ODBC DSN setup having the "Use regional settings when outputting currency, numbers, dates and times" checked. I looked at the ODBC Driver setup and it is not checked. This KB article applies to Great Plains Dynamics 6.0. We are using GP 10.0, SP 3. Does ...

Re: new newsgroupes and how to acctivate my windows mail account
"martin" <spaceman1466@google.com> wrote in message news:... > ...

Money 2007
I have been trying to manage checking accounts from 2 different banks. Can you do this? It seems I have no control over the reports. I can't control which account the report is coming from. Also, on the home page it will show "spending by category" pie chart from one account and "income and expense" bar chart from the other account. volts10; Once you have selected which report you want, e.g. spending by category or accounts etc. , go to left menu, choose customize, there you can select tabs for everything including which accounts include or exclude. Once done ...

Outlook 2003: No "AND" "OR" operator in message rules
I just upgraded from Outlook Express to Outlook 2003, and found this issue to be particularly bothersome. In Outlook Express, I could save time by using the "OR" operator when I make rules where an action takes place if the message matches any one of the criteria I list. However, when I imported those rules (and made new ones) in Outlook 2003, there is only an "AND" operator when I have several criteria. Thus my mail doesn't sort correctly. Is there any way to regain the "OR" functionality? I know it exists within each criteria (for example, if th...

Merging duplicate accounts
Several of my accounts are duplicates because of a bank upgrade. I know how to merge them but I get a warning box saying that old transations will be deleted. Does this mean ONLY the duplicates or ALL old transations? I do not want to lose the many years of data that I have. Thanks. In microsoft.public.money, jimp wrote: >Several of my accounts are duplicates because of a bank upgrade. I know how >to merge them but I get a warning box saying that old transations will be >deleted. Does this mean ONLY the duplicates or ALL old transations? I do >not want to lose the ma...

Add RSG to Mailbox Recovery Center?
Is it possible to add a store in an RSG to the mailbox recovery center? It appears that I am only able to add normal storage group mailbox stores. I do not believe you can add a store in the RSG to the MRC. You're stuck with Exmerge of the mailbox data merge wizard. Nue "Dan" <Dan@discussions.microsoft.com> wrote in message news:413AB259-2B12-4976-9A04-CC1B65C4943D@microsoft.com... > Is it possible to add a store in an RSG to the mailbox recovery center? > It > appears that I am only able to add normal storage group mailbox stores. On Tue, 6 Jun 2006 1...

Empty "Account Summary" View
I have Money 2005 and for the last week the "Account Summary" view for my Investment accounts is blank. I tried reinstalling but that didn't help. All the information is correct and when I go to Portfolio everything is OK. Any help would be greatly appreciated. Joe Barrett Account Summary isn't on my list (perhaps because it's a UK version of Money). Is it one of your own portfolio views or a built in? If it's a built in, try resetting it (customize any view, select it, reset to default). -- Glyn Simpson, Microsoft MVP - Money http://money.mvps.org Check htt...

Run-time Error 6 when Calculating Physical Inventory #2
Any ideas? tried reindexing and checking for gross large quantities. thanks dave ...

CRM server login
Hi, when I try to go the CRM server by ip name, ie. http://192.168.4.1 I have no problem using crm but when I try to go to the server name, ie. http://mycrmserver I get a windows authentication window and I cannot use crm unless I log in with my windows credentials, does anybody know how I could fix this, I set my IIS server to integrated windows authentication, any ideas? I think it's a browser settings issue - can you check the following: In Internet Options, Security Tab Local Intranet -> Custom level -> User Authentication -> Logon -> Auot logon in Intranet zone Hope t...

Journaling on a per-mailbox basis
I see that you can do journaling on a per store basis in Exchagne 2000, but we need to do it only on a few mailboxes not the entire store. Does anyone have any experience with any per-mailbox journaling solution? If so, which ones and what was your opinion? Thanks joe On Tue, 31 Jan 2006 09:22:49 -0500, "Joe Williams" <Joe@anywhere.com> wrote: >I see that you can do journaling on a per store basis in Exchagne 2000, but >we need to do it only on a few mailboxes not the entire store. Does anyone >have any experience with any per-mailbox journaling solution? I...

Q on Maximum server memory
I just bought a new PC with Windows 7 64-bit and 12 GB of RAM. I'm running SQL Server 2008 Enterprise Edition on it. Previsouly, I was running XP 32-bit with 4 GB or RAM. The default setting for SQL Server's 'Maximum server memory" appears to be 2GB. I am running other applications on the same PC, primarily my Visual Basic program which is accessing the server, but of course I want to optimize the speed of my program. So should I increase the 'Maximum server memory' to, say, 10GB? -- Ed The default is not 2GB but 2TB. The MAX Memory setting is us...

SQL Server Remote Connection Problem
Hi All, I did RDP to a server that has SQL server named ABCsql. From my local machine, I created a new connection and put ABCsql in Server name dropdown box and selected Windows Authentication/SQL Server Authentication (sa,sa) but it failed to connect using Database Engine. Because I want to remote to the SQL Server: ABCsql but I don't know how to do it. Thanks for any help from you guys. ...

Server Error in '/' Application #4
I run into this when generating any report in CRM 4.0. Object reference not set to an instance of an object. Exception Details: System.NullReferenceException: Object reference not set to an instance of an object. Stack Trace: [NullReferenceException: Object reference not set to an instance of an object.] Micorsoft.CRM.Reporting.ReportServer.CreateCrmReportingException (ExceptioninnerException, String methodName, Int32 errorCode ) +102 The following message is one of many Stack Trace lines. Any one run into this Maybe you did not install the Reporting Connector for CRM ? Kay ...

Account Notes disappearing
Hi all, I have a user (always the same) who keeps complaining that she cannot find Account Notes she had entered previously. Usually she only find the few most recent ones. I don't know whether she's doing something wrong or if there is a problem with the system and she's the only one using MS CRM frequently enough to run into that problem. I used Advanced Find but that doesn't help if the Notes are not there anymore! Has anyone encountered this before? Any help, tips to avoid this or back up Notes, suggestions would be most welcome. Thank you, Mohamed Mohamed I have se...

Send different Email account to different folders
Is there a way to send different email accounts to different folders (same .PST)? It appears that this cannot be done without a rule. Correct. -- Sue Mosher, Outlook MVP Author of Microsoft Outlook Programming - Jumpstart for Administrators, Power Users, and Developers http://www.outlookcode.com/jumpstart.aspx <michaeljc70@hotmail.com> wrote in message news:1106605386.054498.79640@c13g2000cwb.googlegroups.com... > Is there a way to send different email accounts to different folders > (same .PST)? It appears that this cannot be done without a rule. > m...

importing from gmail account
could anyone please help me by telling me how to import my gmail email account to my windows mail account please as this is the only account i use thank u Windows Mail is a program, not an account. Do you want to access your Gmail account using Windows Mail? see these instructions for enabling POP and for configuring Windows Mail/Live Mail.... http://mail.google.com/support/bin/answer.py?answer=86382 http://mail.google.com/support/bin/answer.py?answer=86383 or for IMAP.... http://mail.google.com/support/bin/answer.py?answer=77696&topic=12920 -- Dave N. MS-MVP (Mail...

Need Help on Win Server 2003 booting and booting
Hello, It turns out to be evident that some "security" Windows Updates are more dangerous than any potential virus. After a Windows Update on the end of March, all my Windows Server 2003 where the update was accepted are booting and booting endlessly. That's tests servers but their re-install will last more than 10 days...:-( Do you know some anti-virus which detect these malicious updates and deactivate them? I tried TDSSKiller from Kasperski but without any success: it found nothing Maleware Bytes didn't find anything The Recovery console didn't recover anyt...

Disable item in CListCtrl
Hi, How do I disable a particular item in CListCtrl (report style) ? Any links/ samples would be useful. TIA, SD ...

Outlook 2007 Rules with Scripts not running automatically
I recently upgraded my Outlook from 2003 to 2007. My rules with scripts ran perfectly in 2003, however since the upgrade any Outlook rule with a script will not run automattically, they do work when I run them manually. The other non-script rules run perfectly fine. I have the macro enabled so I don't believe that is the issue. Is there some setting that I am missing? Any assistance would be greatly welcomed. ...