Prevent Exchange mailbox user login after account changes

You must disable the account or change the user account password because a security breach occurred. The user has an Exchange mailbox linked to the account. Disabling the user in Active Directory and thinking that you are done now is NOT correct. Because the old password will still work for a while, and the user can still sign in. In this article, you will learn how to disable the account or change the user account password and ensure that the user can’t log in.

Table of contents

IIS user token cache

An HTTP client such as Exchange ActiveSync (EAS), Outlook Anywhere, Outlook Web Access (OWA), or Exchange Web Services (EWS) are still able to connect to its mailbox after its account has been disabled. Clients may also be able to connect by using an old password after the password has been changed.

Microsoft Internet Information Services (IIS) caches the user’s token so that Windows logon occurs only during the initial logon or after the token has been flushed. (This flushing occurs when the TTL [default setting of 15 minutes] for the token expires.) If the user reconnects before the TTL has expired, the TTL will be reset. It may require 8-24 hours before the changes are recognized.

To clear the token cache and force the client to authenticate, use one of the following methods below.

Solution to Exchange mailbox user login after account changes

The first two methods will restart IIS, which is the best way to ensure that all connections will disconnect after resetting the password or disabling the account in Active Directory. The third method will work excellently, but it’s not a complete IIS restart.

Note: Pay attention that when you restart IIS on the Exchange Server, all mailboxes connected to that Exchange Server will lose connection for a brief moment.

1. Restart IIS on Exchange Server

Sign in to Exchange Server and restart IIS to have the changes taken immediately into effect. Do this on every Exchange Server.

PS C:\> iisreset

2. PowerShell script to restart IIS on all Exchange Servers

Suppose you have more than one Exchange Server and want to avoid signing in on every Exchange Server to restart IIS. Instead, it’s easier to copy/paste the Restart-ExchangeIIS.ps1 script into PowerShell ISE and run it. This will restart IIS on all Exchange Servers.

Run this on a Management Server or Exchange Server because you need the Exchange Management tools installed.

# Load Exchange Management Shell PowerShell Snap-In
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn

# Get All Exchange Servers
$Servers = Get-ExchangeServer

# Go through the list and restart one by one
foreach ($Server in $Servers) { 
    Write-Host "Restarting IIS on server: $($Server.Name)" -ForegroundColor Green
    IISRESET $Server.Name

    # Optional: Get the Status
    Write-Host "IIS status for server $($server):" 
    IISRESET $server.Name /status
}
Write-host "IIS restarted on all Exchange Servers." -ForegroundColor Green

This is how it looks.

Prevent Exchange mailbox user login PowerShell ISE

3. Recycle Applications pools

Run PowerShell ISE as administrator. Next, copy/paste the below script and run it.

Restart-WebAppPool -Name "MSExchangeSyncAppPool*"
Restart-WebAppPool -Name "MSExchangeServicesAppPool"
Restart-WebAppPool -Name "MSExchangeOWAAppPool"
# Restart-WebAppPool -Name "DefaultAppPool" # Exchange 2007 and Exchange 2010 only
Restart-WebAppPool -Name "MSExchangeRPCProxyFrontEndAppPool"
Restart-WebAppPool -Name "MSExchangeMAPIFrontEndAppPool"

Disable mailbox user account and check OWA

Go to Active Directory Users and Computers. Next, disable the user account, which has a mailbox account.

In this example, it’s the user account, Boris Campbell.

Prevent Exchange mailbox user login disable account

Go to the Exchange OWA address, and you can still sign in to Exchange OWA.

Prevent Exchange mailbox user login signed in OWA

Run one of the above three resolutions to clear the user token in the cache and force the client to authenticate.

Prevent Exchange mailbox user login signed out OWA

The user is logged out and can’t sign in anymore.

Read more: Configure Hybrid Modern Authentication in Exchange on-premises »

Conclusion

You learned how to prevent Exchange mailbox user login after account changes. The next time you disable an account or reset a password with a linked mailbox, ensure that you restart IIS or the specific application pools to ensure that the user cache token is cleared and the user can’t log in anymore.

Did you enjoy this article? You may also like Attachment size limit in Exchange Server. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

TwitterLinkedIn

What Others Are Reading

This Post Has 2 Comments

  1. Good day.
    You wrote that

    Note: Pay attention that when you restart IIS on the Exchange Server, all mailboxes connected to that Exchange Server will lose connection for a brief moment.

    At the same time, it was written before that that the third method is not a reboot of the IIS. Do I understand correctly that when using the third method, there will be no disconnection of clients?

    Reply

  2. Does this issue occur in Exchange server 2019 CU11.
    We have Exchange server 2019 CU11 and I tested disabling the account. This account cannot log in to the OWA website. I never restart IIS.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *