Hi I am working for a company as an IT Security Officer (basically take charge of security compliance) and have only recently graduated. I have little experience with Active Directory and especially Exchange Server. Something my boss asked me to look into is all these mailbox accounts we have in our active directory under the resource folder. We were originally told that these accounts have low privileges by the IT support team. However, they all have weak passwords and I am not happy with that. I managed to log onto a mailbox account to determine what can be done on it. Turns out it has way too much access to the network and basically isn't locked down at all! I was fuming to say the least. Why do mailbox accounts need to be created as users in Active Directory under the resources OU? Is there a particular way to lock these accounts down and can they just be disabled once created? Regards, RogueViper101

On Thu, 8 Sep 2011 11:00:03 +0000, RogueViper101 wrote: >Hi I am working for a company as an IT Security Officer (basically take charge of security compliance) and have only recently graduated. I have little experience with Active Directory and especially Exchange Server. Something my boss asked me to look into is all these mailbox accounts we have in our active directory under the resource folder. We were originally told that these accounts have low privileges by the IT support team. However, they all have weak passwords and I am not happy with that. I managed to log onto a mailbox account to determine what can be done on it. Turns out it has way too much access to the network and basically isn't locked down at all! I was fuming to say the least. Why do mailbox accounts need to be created as users in Active Directory under the resources OU? Only an AD user object can be assigned a mailbox. The OU was just named "resources" but the name has nothing to do with what it contains. It could just as well have been named "Elevators". :-) >Is there a particular way to lock these accounts down and can they just be disabled once created? Regards, RogueViper101 There's no need for a user that's assigned a "resource" mailbox to be enabled in the AD. Nobody should be logging in as that user. Disable the user. Now the password doesn't matter. If you want to put a strong password on the disabled user, go ahead. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Many thanks for your reply. So once we created a mailbox account can I disable it straight away or do I have to wait for some synchronisation between the exchange server? In order for emails to work. Many thanks, Mike

On Fri, 9 Sep 2011 08:36:11 +0000, RogueViper101 wrote: >Many thanks for your reply. So once we created a mailbox account can I disable it straight away or do I have to wait for some synchronisation between the exchange server? In order for emails to work. Disable it as soon as you want to. E-mail delivery to the mailbox isn't going to be affected. It isn't the mailbox you're disabling, it's the user. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP