Recipe17.10.Mail-Disabling a User

Recipe 17.10. Mail-Disabling a User

Problem

You want to mail-disable a user.

Solution

Using a graphical user interface

Open the ADUC snap-in.

This needs to be run on a workstation or server that has the Exchange Management Tools loaded (see Recipe 17.6).
If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select Connect to Domain, enter the domain name, and click OK.
In the left pane, browse to the parent container of the user, right-click on the user, and select Exchange Tasks.
On the Welcome screen, click Next.
Select Remove Exchange Attributes and click Next.
Read the warning and click Next.
On the Completion screen, click Finish.

Using a command-line interface

> exchmbx -b "<User DN>" -clear

Replace <User DN> with the user's distinguished name.

For an alternative Microsoft native tool method, create an LDIF file called clearmailattribs.ldf with the following contents:

dn: <UserDN>  changetype: modify replace: altRecipient altRecipient: - replace: authOrig authOrig: - ... <SEE DISCUSSION, NOT A COMPLETE LDIF FILE> ...

Replace <UserDN> with the user's distinguished name. Note that this is not a complete LDIF file as there are many attributes that must be cleared (see the Discussion section). Once you've created the LDIF file, run the following command:

> ldifde -i -f clearmailattribs.ldf

Using VBScript

' This code mail disables a user. ' ------ SCRIPT CONFIGURATION ------ strUserDN = "<UserDN>"   ' e.g., cn=jsmith,cn=Users,dc=rallencorp,dc=com ' ------ END CONFIGURATION --------- set objUser = GetObject("LDAP://" & strUserDN) objUser.MailDisable objUser.SetInfo( ) Wscript.Echo "Successfully mail-disabled user."

Discussion

This recipe removes the Active Directory Exchange attributes for a previously mail-enabled user. This is a simple process from ADUC and from VBScript, but behind the scenes several attributes are being updated. For a complete list of the attributes that are modified, see MS KB 307350.

Mail-disabling a user requires Exchange Data Administrator permissions. See the Discussion for Recipe 17.7.

Using a graphical user interface

This process is identical to the process for deleting a user's mailbox.

Using a command-line interface

The ExchMbx solution is simple and, unlike the VBScript solution, can be used on either mail- or mailbox-enabled users.

If you want to clear the Exchange mail attributes on several objects at once remove the -b option from the parameter list and pipe the distinguished names into ExchMbx from another tool or from a file. Run exchmbx /? for usage details.

The LDIF solution requires some additional explanation. The LDIF file shown in the solution is not complete. You must clear many more attributes than listed. Check out MS KB 307350 for the current listing of attributes that should be cleared when removing Exchange attributes (there were about 90 at the time of this writing).

Using VBScript

The VBScript solution leverages the CDOEXM MailDisable method to mail-disable the user. Unfortunately, you can not use this method to mailbox-disable a user. So when you call this method, you should be sure that the user is mail-enabled versus mailbox-enabled. If you use this method on a mailbox-enabled user, you will get an error such as "E-mail addresses cannot be removed from this user because it has a mailbox." The quick way to ascertain whether a user has a mailbox or is simply mail-enabled is to check for the existence of the homeMDB attribute. If a user object has homeMDB populated, there is an associated mailbox for that account.