Say you’ve fired someone, or laid them off, or sadly waved goodbye as they left of their own volition. How can you effectively prevent them from accessing your Exchange servers once they’re gone?
Most connections to an Exchange server are persistent, in the sense that once the client’s authenticated the connection will remain open. This allows the client to continue to send and receive mail… the exact opposite of what you want. You might think that disabling the Active Directory account for the user would do the trick, and it will indeed prevent other logons from succeeding. However, for about two hours, existing logons will continue to work. Here’s what to do to instead:
- Disable the user’s mailbox. This prevents new logons to the mailbox.
- Set the Send Prohibit quota to 0. This prevents the user from sending new mail; the quota change takes effect immediately.
- Move the user’s mailbox to another database. This will immediately disconnect all open mailbox connections from any client.
Voilà! Problem solved. (Hat tip: Scott Schnoll)