Hi all,
We lost an employee today. I disabled his account through the Active Directory Users and Computers
snap-in and he was still able to login to his e-mail via OWA and send/receive messages.
When I was alerted to this, I also went ahead and changed his password and I tested logging in to his account; it wasn't accepting the new password. I knew his old one though and was still able to log in to OWA with it. We're talking a good hour
after I initially disabled his account at this point.
It wasn't until I ran a GPUPDATE /FORCE on the CAS and a DC before OWA finally recognized that his account was disabled.
So, why is it that he was still able to log in an hour after I disabled his account? Some sort of domain caching? How can I prevent this in the future?
As an aside, as a company policy, user accounts are kept for 60 days and mailboxes are kept for an additional 30 days after that, so I can't disable a mailbox through Exchange, as it wouldn't fit with my retention needs. We also just finished our migration from Exchange 2003 to 2010 a couple of weeks ago.
Thanks in advance! :)