After you migrate the mailboxes to Microsoft 365/Office 365 and all the SMTP relay goes…
Prevent Exchange mailbox user login after account changes
You must disable the account or change the user account password because a security breach occurred. The user has an Exchange mailbox linked to the account. Disabling the user in Active Directory and thinking that you are done now is NOT correct. Because the old password will still work for a while, and the user can still sign in. In this article, you will learn how to disable the account or change the user account password and ensure that the user can’t log in.
Table of contents
IIS user token cache
An HTTP client such as Exchange ActiveSync (EAS), Outlook Anywhere, Outlook Web Access (OWA), or Exchange Web Services (EWS) are still able to connect to its mailbox after its account has been disabled. Clients may also be able to connect by using an old password after the password has been changed.
Microsoft Internet Information Services (IIS) caches the user’s token so that Windows logon occurs only during the initial logon or after the token has been flushed. (This flushing occurs when the TTL [default setting of 15 minutes] for the token expires.) If the user reconnects before the TTL has expired, the TTL will be reset. It may require 8-24 hours before the changes are recognized.
To clear the token cache and force the client to authenticate, use one of the following methods below.
Solution to Exchange mailbox user login after account changes
The first two methods will restart IIS, which is the best way to ensure that all connections will disconnect after resetting the password or disabling the account in Active Directory. The third method will work excellently, but it’s not a complete IIS restart.
Note: Pay attention that when you restart IIS on the Exchange Server, all mailboxes connected to that Exchange Server will lose connection for a brief moment.
1. Restart IIS on Exchange Server
Sign in to Exchange Server and restart IIS to have the changes taken immediately into effect. Do this on every Exchange Server.
PS C:\> iisreset2. PowerShell script to restart IIS on all Exchange Servers
Suppose you have more than one Exchange Server and want to avoid signing in on every Exchange Server to restart IIS. Instead, it’s easier to copy/paste the Restart-ExchangeIIS.ps1 script into PowerShell ISE and run it. This will restart IIS on all Exchange Servers.
Run this on a Management Server or Exchange Server because you need the Exchange Management tools installed.
# Load Exchange Management Shell PowerShell Snap-In
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn
# Get All Exchange Servers
$Servers = Get-ExchangeServer
# Go through the list and restart one by one
foreach ($Server in $Servers) {
Write-Host "Restarting IIS on server: $($Server.Name)" -ForegroundColor Green
IISRESET $Server.Name
# Optional: Get the Status
Write-Host "IIS status for server $($server):"
IISRESET $server.Name /status
}
Write-host "IIS restarted on all Exchange Servers." -ForegroundColor GreenThis is how it looks.
3. Recycle Applications pools
Run PowerShell ISE as administrator. Next, copy/paste the below script and run it.
Restart-WebAppPool -Name "MSExchangeSyncAppPool*"
Restart-WebAppPool -Name "MSExchangeServicesAppPool"
Restart-WebAppPool -Name "MSExchangeOWAAppPool"
# Restart-WebAppPool -Name "DefaultAppPool" # Exchange 2007 and Exchange 2010 only
Restart-WebAppPool -Name "MSExchangeRPCProxyFrontEndAppPool"
Restart-WebAppPool -Name "MSExchangeMAPIFrontEndAppPool"Disable mailbox user account and check OWA
Go to Active Directory Users and Computers. Next, disable the user account, which has a mailbox account.
In this example, it’s the user account, Boris Campbell.
Go to the Exchange OWA address, and you can still sign in to Exchange OWA.
Run one of the above three resolutions to clear the user token in the cache and force the client to authenticate.
The user is logged out and can’t sign in anymore.
Read more: Configure Hybrid Modern Authentication in Exchange on-premises »
Conclusion
You learned how to prevent Exchange mailbox user login after account changes. The next time you disable an account or reset a password with a linked mailbox, ensure that you restart IIS or the specific application pools to ensure that the user cache token is cleared and the user can’t log in anymore.
Did you enjoy this article? You may also like Attachment size limit in Exchange Server. Don’t forget to follow us and share this article.
What Others Are Reading
Good day.
You wrote that
—
Note: Pay attention that when you restart IIS on the Exchange Server, all mailboxes connected to that Exchange Server will lose connection for a brief moment.
—
At the same time, it was written before that that the third method is not a reboot of the IIS. Do I understand correctly that when using the third method, there will be no disconnection of clients?
That’s correct.
Does this issue occur in Exchange server 2019 CU11.
We have Exchange server 2019 CU11 and I tested disabling the account. This account cannot log in to the OWA website. I never restart IIS.
i also curious to know the result..i have same issue.
I tested this on Exchange Server 2019 CU14, and it still occurs.
After applying one of the methods shown in the article, the user could no longer sign in to OWA.