[texaskrs]

I am looking for any constructive input on a subject that is giving me grief.

First a little history (i am sure many are aware of this):

Prior to Daylight Saving Time if an account in AD was disabled and had a mailbox associated with it, the e-mail account was basically useless. If you tried to email it, you would receive an NDR (Non-Deliverable Report / Bounce Back Message) stating this email account wasn't functional. And the mailbox would not receive the email. Also, if a user had Out of Office (OOF) enabled, when his / her account was disabled, OOF would stop working because the mail would never reach the mailbox.

Post Daylight Saving Time when an e-mail is sent to a client that has been disabled, the mailbox will receive the mail (no NDR will be sent). Also if OOF is turned on, the mailbox will send that OOF message back to the sender. The sender would not know anything about the status of this client; it would be just as if the client was enabled. The ability for user to access a disabled mailbox has not been altered, it is still denied.

We have contacted Microsoft about this and in summary this is what we were told; Prior functionality was considered to be a "Bug" (to our knowledge it has always been this way).

Now my issue, we are a med/large BES environment with about 950 Blackberry users. We have approximately 14,000 user accounts. Our current process for clients retiring/quitting/being fired is for our Security team to disable the user account in AD. After a period of 30 days of the account being disabled we will delete the mailbox; this is in place incase of mistakes, clients coming back etc. Clients are responsible for procuring their own devices and then expensing the costs. Our issue is a client leaves and their user account is disabled; great they can no longer access the environment, or so it was thought ... email will continue to flow to their mailbox and then to their Blackberry. To my knowledge (and I have contacted RIM) there is no process or means through the BES to detect a client has been disabled or not. We are looking at what needs to take place to better our process for this, I am just looking for ideas or information on what other BES admins are doing in this case. We need a programatic way to determine if the client is currently associated with the BES and disabled. By default I know of no attribute in AD for BES users (we may have to add this and then query off of that). Does anyone know of any third party apps that do this? I don't see anything in the resource kit as well. Any input would be appreciated. Thank you in advance and I apologize for the long read.

[bertiebassett]

Surely you just add one step to the process - when the sec team disable the account on AD, they also turn off re-direction on the BES server. Then on the 30 day rule, you hose the BES account as well.

But if someone's walked wouldn't you want to wipe the device first - in which case change the disable re-direction to disable re-direction and wipe device. Plus it might be nice to punch them out a default policy too -you say it's their device.

IIRC 5.0 is meant to simplify this issue, whereby you can spec on an AD account is stopped/removed mail delivery via BB is stopped/removed.

[Rad_TIAA]

Hello TexasKrs,

There is an attribute in AD that will tell you if an account is disabled...try this query " ldapstr = "<LDAP://" & DomainContainer & _
">;(&(&(&(& (mailnickname=*) (|(&(objectCategory=person)" & _
"(userAccountControl:1.2.840.113556.1.4.803:=2)(ob jectClass=user)" & _
"(homeMDB=*)))))(objectCategory=user)(Name=" & _
"*" & ")));adspath;subtree" "

What I have done is, query AD then go against the BES database to see if any of the disabled accounts from AD matches the ones in the BES DB then remove them from the server. The resource Kit has the "BESUserAdminClient" that will remove users from the server. You will have to script the process to go against AD and BES DB to remove users from your environment.

As Bertiebassett suggested, you should wipe the device the minute the person leaves the company unless you are not concern with Corporate data.