While testing the feasibility of a Bring Your Own Device policy with Exchange 2010 Active Sync we noticed some odd behavior with disabled accounts.
One of the policies we decided on was that during an employee termination we would disable sending and receiving from an ActiveSync device before we removed Active Sync or wiped the device. The idea was that this would give a terminated employee time to make any personal phone calls before handing their personal device over to IT so we can remove the ActiveSync account. If they refused to hand it over we would wipe the device instead.
In testing we originally thought it would be enough to disable the AD account and reset it’s password to force propagation of the account throughout the forest. To our surprise though the disabled account could no longer access network resources it could still send and receive emails via Active Sync. Furthermore the account could also login into Outlook Web Access on both the old and new password. This behavior could sometimes last for hours!
After some research and a little help from the TechNet Community I found that the behavior stems from cached access tokens in IIS. Since both OWA and ActiveSync (also EWS) use IIS, which will cache access tokens for up to 15. In my environment (and a few others) the cached tokens last for a few hours so I’m not sure what other factors are at play in keeping it alive longer then the 15 Minutes interval. One way to rest the token it is to restart IIS, but that is a little extreme as it will flush out all access tokens and active connections.
One of the various methods mentioned in the TechNet forums was setting the Allowed Recipients to 0:
Set-Mailbox -Identity "John Smith" -RecipientLimits 0
Obviously this allows the user to still access OWA, ActiveSync, and address books; but it stops them from sending any nasty emails through their disabled account after the fact. I also tried setting the Storage Quota to 0 for sending messages but that didn’t seem to apply in a timely fashion (15 mins). Setting the recipient account was almost instantaneous and works during an OWA session
I then tried to see if I could force a IIS Token refresh by changing the password
of a disabled account and then logging in with the new password. This had the strange side effect of caching 2 IIS tokens, one that worked with the old password and one that worked with the new one!
Over all the best method was to disable OWA and ActiveSync on the user account:
Set-CASMailbox-Identity "John Smith" -OWAEnabled:$False Set-CASMailbox-Identity "John Smith" -ActiveSyncEnabled:$False
This worked within 5 minutes and successfully locked out the account from both services.