Exchange: How come disabled user is still sync emails (on a phone)?

There was an issue raised a terminated user is still sending and receiving emails from his/her phone. We checked the user account was disabled (for sure). How the heck the user still sending emails to us?

Quick search points to this KB: EAS devices still sync after an account is disabled or a password is changed

That is not right!  The solution described as

Any of the following methods will force the device to reconnect on a new connection.

Reset IIS

  1. On the Client Access Server(s) that the device connects to, click Start, click Run and type CMD and then press ENTER.
  2. Type iisreset and press ENTER.

This will restart IIS services.  You can also use the Services.msc snap-in to manually Restart the IIS Admin service.

Recycle the Application Pool used by ActiveSync

  1. Click Start, click Administrative Tools, click Internet Information Services (IIS) Manager.
  2. Expand the server name.
  3. Click Application Pools.
  4. Right click the MSExchangeSyncAppPool and click Recycle.

We can’t do this every time an employee leaves the company (contractors and consultants more frequently). This is destructive change for disabling for every leaving employee.

This blogger had some ideas:

But still it’s not enough. I needed more complete solution without the destructive part. I found such a solution in Technet Blogs.

The following Microsoft Technet Blogs covers the issue and solution. Either you do one-off basis for a disgruntled employee or add it to your termination process for every employee, you can do the following.

BUT, it will still take about 10 to 15 minutes. I would add Active Directory Replication to sync all DCs with this command: Repadmin /SyncAll /AeP from where you disabled the user account and Exchange server resides.

1. Disable Active Sync devices (all of them) for the user

Note down all device IDs from this command output:
Get-CASMailbox <user> | Select ActiveSyncAllowedDeviceIDs, ActiveSyncBlockedDeviceIDs

Disable all ActiveSync Devices:
Set-CASMailbox -Identity <user> -ActiveSyncBlockedDeviceIDs “<DeviceID_1>,<DeviceID_2>”

2. Disable OWA/ActiveSync and Mapi on the account

Disable Web Services:

Set-CASMailbox -Identity <user> -OwaEnabled $false
Set-CASMailbox -Identity <user> -EwsEnabled $false
Set-CASMailbox -Identity <user> -EwsEnabled $false
Set-CASMailbox -Identity <user> -EcpEnabled $false

Disable MAPI:

Set-CASMailbox -Identity <user> -MapiEnabled $false
Set-CASMailbox -Identity <user> -MapiBlockOutlookRpcHttp $true
Set-CASMailbox -Identity <user> -EwsAllowMacOutlook $false
Set-CASMailbox -Identity <user> -EwsAllowOutlook $false

3. Set the Recipients Limits to 0
Set-Mailbox -Identity <user> -RecipientLimits 0

4. Disable the Mailbox and User Account

Here are the blogs for the source of above info:

Part I : Disabled Accounts and ActiveSync Devices Continuing to Sync

Part II: Disabled Accounts and Users Still Being Able to Access via Outlook & OWA

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s