Users still have access to Outlook Web Access after disabling account or changing password

Remove the “NT AUTHORITY\SELF” from the full permissions

First thing you can do is to remove the “NT AUTHORITY\SELF” from the full permissions setting in Exchange 2007/2010 (untested but I do not believe Exchange 2003 creates this user on mailboxes but instead has one labeled “SELF” which would be the equivalent.)
In the Exchange management console, navigate to “Recipient Configuration” and click on “Mailbox”. Find the user that needs to be disabled or have the password changed and click on it. On the right hand side under the actions pane click on the “Manage Full Access Permissions….” And in the new window remove the “NT AUTHORITY\SELF”. This is an immediate change from what I have tested as long as the user doesn’t have an existing session already open. If they do, then you can bet the fifteen minute rule still applies.

The only problem with this is, should the employee be re-employed by “ABC Inc.” before the mailbox is removed and you should need to reactivate it, then you will need to add the “NT AUTHORITY\SELF” user to the full mailbox rights or they won’t be able to access their mailbox. This can’t be done from the same window you removed it from, since the management console looks to your active directory to find the user to add, the “NT AUTHORITY\SELF” is not a true user in the sense of AD. Instead you will need to add this using the Exchange management shell using the following command:

Add-MailboxPermission –Identity “*user*” –User “NT AUTHORITY\SELF” –Accessright Fullaccess

Exchange 2003 and earlier, you’re just going to have to re-create the mailbox.

Disable Mailbox Features

This was brought up based off of the spotlight article I wrote, you can read the article here,

In testing this one I disabled the users mailbox features on their Exchange mailbox, see screen shot (for 2003 this would be the mailbox features tab in Active Directory). You can also do this through the command shell or add it to a script to run against a terminated employee using the following command.

Set-CASMailbox –Identity “User_ID” –OWAEnabled:$false –ActivesyncEnabled:$false –MAPIEnabled:$flase –POPEnabled:$false –IMAPEnabled:false

The important thing to remember for this one is, the user can’t already have an open session externally into their OWA account or Active sync. If they do, then the original rules apply and they will still have access to their account for a minimum of 15 minutes or longer depending on how they are conencted. If they don’t have an open session, then disabling ALL Mailbox Features is immediate in my testing.

Thanks to dehcbad25, DarienA for commenting on this in the spotlight article and DanaR in the comments below for making me aware of this to test. I can’t test every possible scenario but with the help of the community and comments like the ones made, we certainly can make things easier and safer.

Change the default interval for user tokens in IIS

The second thing you can do is to change the default interval for user tokens in IIS. This is the one that I mentioned above to be careful adjusting without properly researching all of the adverse affects it may cause on your network. Remember, that the issues may not crop up right away but could take days, weeks, or months to fully show after making this change.;EN-US;152526

Bounce the IIS service

And now the last and easiest solution but also possibly the most disruptive to your end users during production hours.
Bounce the IIS service on each Exchange CAS server (2007/2010, 2003 you just restart the IIS on all Exchange servers). Since we have no idea which CAS server is holding the token, and because Exchange will replicate this to each server, you need to bounce the service on each one. Easiest way to do this is to open a command prompt on each server and issue the command,

IISRESET /no force

This will attempt to stop and restart the IIS service. If it fails or gives back an error stating it couldn’t stop the service, you may need to perform the following,


Depending on your setup, this could cause your users to either get the credential logon box meaning multiple phone calls to the helpdesk, or a simple “Disconnected from Exchange server” message in the lower right corner of their Outlook client. The benefit of the IIS reset is that it clears the token cache and forces the issuance of all new tokens from any connected user. Not ideal, but given the circumstances and risk to the company from a terminated disgruntled employee, the disruption and inconvenience to the users is worth it and justifiable to the organizations integrity.



Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s