In Exchange 2010 environments, a common administrative question arises: what happens to mailbox access permissions when the associated Active Directory account gets disabled? Specifically, when UserA has full access permissions to UserB's mailbox, does disabling UserB's AD account affect UserA's ability to access that mailbox?
The mailbox remains accessible to delegated users even after the associated AD account is disabled. This occurs because:
- Exchange 2010 maintains mailbox permissions separately from AD account status
- The mailbox database keeps the ACL (Access Control List) intact
- Disabled AD accounts still exist in the directory, just in an inactive state
To confirm this behavior, we can use Exchange Management Shell:
# Check mailbox permissions before disabling
Get-MailboxPermission -Identity DisabledUserMailbox | Where {$_.User -like "DelegateUser*"}
# Output would show AccessRights including FullAccess
# After disabling the AD account
Disable-ADAccount -Identity DisabledUser
# Verify delegate access still works
Test-MailboxAccess -Identity DisabledUserMailbox -User DelegateUser
While the basic functionality remains, consider these factors:
- Mailbox retention period (default 30 days for disabled mailboxes)
- Impact on litigation hold or retention policies
- Behavior differs if mailbox is disconnected versus disabled
For automated handling of such scenarios, you might implement:
function VerifyDelegateAccess($mailbox, $delegate) {
$disabled = (Get-ADUser $mailbox.SamAccountName).Enabled -eq $false
$hasAccess = (Get-MailboxPermission $mailbox |
Where {$_.User -eq $delegate -and $_.AccessRights -contains "FullAccess"})
return $disabled -and $hasAccess
}
# Usage:
$mbx = Get-Mailbox "DisabledUser"
$result = VerifyDelegateAccess $mbx "DelegateUser"
Write-Host "Access maintained after disable: $result"
If delegated access stops working after disabling an account:
- Verify the mailbox wasn't accidentally disconnected
- Check for permission inheritance issues
- Confirm the mailbox wasn't moved to another database
- Review Exchange health checks with Test-ServiceHealth
- Document all delegate permissions before disabling accounts
- Consider converting to shared mailboxes for long-term disabled accounts
- Monitor mailbox size as disabled mailboxes still count toward quotas
- Implement regular permission audits with PowerShell scripts
In Exchange Server 2010 environments, a common administrative question arises regarding mailbox access delegation when the primary account gets disabled in Active Directory. The specific case involves:
- UserA has a mailbox in Exchange 2010
- UserB has been granted Full Access permissions to UserA's mailbox
- Administrator disables UserA's AD account
The mailbox accessibility depends on several Exchange architecture factors:
// Exchange 2010 permission evaluation pseudocode
if (mailbox.IsLinkedToEnabledADAccount()) {
// Normal permission checks apply
CheckDelegatedAccess(userPermissions);
} else {
// Special handling for disabled accounts
HandleDisabledAccountAccess();
}
Key observations from real-world testing:
- Immediate access continues for existing connections
- New connections may fail depending on client protocol
- OWA access typically breaks immediately
- Outlook in cached mode may work temporarily
For maintaining uninterrupted delegated access:
# PowerShell solution for proper permissions maintenance
# 1. Convert to shared mailbox first
Set-Mailbox UserA -Type Shared
# 2. Verify permissions
Get-MailboxPermission UserA | fl User,AccessRights
# 3. Disable AD account
Disable-ADAccount -Identity UserA
Alternative approaches include:
- Mailbox export/import to new account
- Setting up mail forwarding rules
- Using litigation hold before disabling
If access breaks unexpectedly:
- Check Exchange application logs for permission errors
- Verify mailbox database mount status
- Test with different client protocols (MAPI/HTTP vs RPC)