Protecting and managing accounts in Exchange Server 2010/Windows Server 2008 R2 (Part 1)

If you would like to read the next part in this article series please go to Protecting and managing accounts in Exchange Server 2010/Windows Server 2008 R2 (Part 2).

 

Introduction

 

Active Directory is one the foundation of Exchange Server and all Exchange Services rely on Active Directory. In this article we will cover some of the new features of Windows Server 2008 R2 Active Directory that can help Exchange Administrators; and also go over the steps on how to use Exchange Server built-in features to reconnect deleted mailboxes.

 

You may have noticed that in the title of this article I wrote “accounts” instead of mailboxes/databases. The reason for this is because we will not be looking at the database restore or anything like that in this article series. We have great tools (DPM is one of them to help us on that matter) but our focus here today is how we maintain and restore user management using native tools from both products.

 

Exchange Server 2010 and Windows Server 2008 R2 brought a lot of new stuff for Exchange administrators, in the last version we had Active Directory accounts, Mailboxes and disconnected mailboxes items to work in order to recover something before going to database/third-party vendor restore software. Nowadays using the latest products we have Active Directory accounts, Active Directory Recycle Bin features, Mailboxes, and Archives, almost doubling the items to worry about! Don’t worry; look on the bright side as we now have more options for recovery issues!!

 

Also we will see some techniques that we can use to protect some special Organization Units/Users to protect them from accidental exclusion.

 

Understanding the Difference between Removing and Disabling a Mailbox

 

Before starting protecting our objects we need to understand the difference between removing and disabling an account using Exchange Server 2010 (the same concept applies to the other versions but we are going to use Exchange Server 2010 in this article). Every time you select an mailbox using Exchange Management Console you have either Disable or Remove options available on the Toolbox Actions or on the right-click of the mailbox, as shown in Figure 1.

 


Figure 1

 

The option Disable will remove the exchange attributes of the selected mailbox(es) but it won’t remove the Active Directory user object, meaning that the users will be able to keep their logon access, access to their files using the same password. However, if you select the Remove option then you will be removing the Active Directory object which means Mailbox and AD user will be gone.

 

Either method allows us to connect the previous deleted mailboxes. Afterwards, the difference is that you cannot restore user experience when you use the option Remove because the affected user won’t have their Active Directory attributes set automatically. For example, its groups and password won’t be the same and a manual process will be required. However to address that issue we will be using the Active Directory Recycle bin feature that allows us to do that, that’s a new feature of Windows Server 2008 R2 and we will be looking at that in detail in the next article.

 

The retention limits for disabled or removed mailboxes is set at Database level, we can define this settings following these steps:

 

 

  1. Open Exchange Management Console
  2. Expand Microsoft Exchange On-Premises
  3. Expand Organization Configuration
  4. Click on Mailbox
  5. Click on Database Management tab
  6. Right click on the Desired Mailbox Database and click on Limits tab, as shown in Figure 02
  7. We can define how many day a deleted mailbox will be kept in our database and if a backup is required before purging the mailbox from the database after the period defined above. The default setting is 30 days and the option Don’t permanently delete item until the database has been backed up is unchecked.

 

Note:
The maximum number of days is 24855 days and don’t forget that a higher number of days impacts in the database size.

 


Figure 2

 

One last thing about Disable and Remove: the default action of Delete button is to disable the mailbox.

 

Protecting Users and Organization Units

 

One of the features introduced in Windows Server 2008 was the ability to protect Organization Units from accidental deletion (Figure 3). In this article we are using Windows Server 2008 R2 and every time that you create a new OU that option is enabled by default, so it’s secure by default.

 


Figure 3

 

If any user, even the administrator, tries to remove the Organization Unit, that user will receive an error message (figure 04) telling him that either he doesn’t have permission or the object is protected.

 


Figure 4

 

If the user really wants to remove that Organization Unit, he needs to enable Advanced Features option in the Active Directory Users and Computers and then right-click on the desired Organization Unit and then uncheck the option Protect object from accidental deletion, as shown in Figure 5. After that he would be able to delete the Organization Unit, it’s hard to believe that after all this process the deletion was a mistake.

 


Figure 5

 

You can also protect at user level, a good example is the CIO account that you definitely don’t want to mess up that account. Using Active Directory Users and Computers and having the Advanced Features enabled (Using Active Directory Users and Computers, click on View and then click on View Advanced Features) we can go to the user’s properties and click on the Object tab and on that tab you can check the option Protect object from accidental deletion, as shown in Figure 6.

 


Figure 6

 

If you try to delete the user using Active Directory Users and Computers you will receive a message similar to the Figure 07.

 


Figure 7

 

Now that we know the difference between Remove and Disable features on Exchange side, we can disable a mailbox without any issues and the protection defined in the previous step won’t take effect because as we have seen before the disable will just remove some attributes not the entire object from Active Directory however if we try to remove the mailbox the error shown in Figure 8 will be displayed.

 


Figure 8

 

Conclusion

 

In this first article we reviewed the difference between Remove and Disable feature using Exchange Server 2010 and how to protect Active Directory objects using built-in features of the Operating System. Next article we will be enabling the Active Directory Recycle Bin and visualizing how we can use it to improve our recover strategy using Exchange. Also, we will be looking at the process to restore mailboxes and archive using Exchange Server 2010.

 

 

If you would like to read the next part in this article series please go to Protecting and managing accounts in Exchange Server 2010/Windows Server 2008 R2 (Part 2).

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top