Some truths you live with for a lifetime, like Outlook users cannot send email using an alternate email address (with Outlook in MAPI mode – read previous post: “HOW TO: Send as alternate email address“). Others change as Microsoft Exchange evolves, either through new versions of Exchange server, or service packs and hotfixes.
Disabled mailboxes cannot receive email. Or rather, could not receive email. This has been true all this while, and hasn’t changed in Exchange 2000, Exchange Server 2003, including SP1 and SP2.
The reason is described in Microsoft KBA 319047 – “You receive a non-delivery report when you send a message to a disabled account”.
In addition to not being able to receive email, administrators face a few other operational issues when managing disabled mailboxes:
- A common scenario: An employee leaves. You disable the account, as part of a standard operating procedure followed in most organizations. You assign his/her manager/co-worker/replacement permissions to access the mailbox. If the mailbox is disabled, they can’t access it!
- A disabled mailbox needs to be be enabled first before it can be moved (KBA 278966: “You cannot move or log on to an Exchange resource mailbox”)
- The Application Event Log is flooded with annoying Event ID 9548s, informing you that the disabled account does not have a msExchMasterAccountSID attribute populated – something most Exchange administrators have probably gnashed their teeth at a few times a day.
Workarounds exist to populate the msExchMasterAccountSID attribute with the well-known SELF SID (KBA 322890 “How to associate an external account with an existing Exchange 2000 mailbox”), but not something you want to do on a regular interval after every account, or a bunch of them, are disabled.
The hotfix mentioned in KBA 903158: “A hotfix is available to modify the way that Exchange Server 2003 handles a disabled Active Directory user account that is associated with an Exchange Server 2003 mailbox” changes that behavior. It makes the Store act as if a disabled account with a null/empty msExchMasterAccountSID attribute actually has the SELF SID.
All the above actions (and more) complete successfully for disabled accounts. Yes, disabled accounts receive email if you have this hotfix applied – or any subsequent hotfix that updates Store.exe to version 6.5.7234.3 or later.
But what if I don’t want disabled accounts to receive email? To prevent disabled accounts from receiving any email, setup Delivery Restrictions (in ADUC | user -> properties | Exchange General tab) to:
1. Receive mail from authenticated users only: With Recipient Filtering enabled, this will drop internet mail at the gateway or the first Exchange server that receives inbound internet mail
2.Receive mail only from: a particular Distribution Group (use a Distribution Group with no members).