Generic Accounts - EAS
I have several Generic domain accounts with email and Exchange Active Sync enabled. I thought that resetting the password when an employee leaves would disable their phone's access but I found out the hard way that is not true. Even deleting
the phone from exchange manager, it just comes right back. How can i permenantly delete a phone's access to EAS while still allowing the new user's phone to connect?
It is Exchange 2007
January 24th, 2011 7:00pm
What version of Exchange? With Exchange 2010 you can block by Device ID which would allow you keep the account active but only block that specific device. Changing the password on the account should resolve the issue as the user must authenticate
before EAS will connect and sync. Performing a remote wipe would preferred since the mailbox will still reside on the phone with no ability to sync. The only gotcha is that the remote wipe will reset device back to default (clearing all data
on the phone) and the account password cannot be changed until the wipe command has been initiated. MVP Exchange Server
Free Windows Admin Tool Kit Click here and download it now
January 24th, 2011 7:29pm
John, thanks for the information. I am using Exchange 2007 still, we are not ready to upgrade yet.
I would like to be able to do the remote wipe but these are previous employees personal phones. we allow those to connect. I just need a way to cut the tie once the employee has moved on. In my testing. the password reset does not
cut this tie at all. I have even tried deleting the phone in OWA, change the password via AD, disable EAS in exchange on that user. Then after some time, enable it again. and that phone still automatically comes back. If I go into the
phone and try messing with the account settings, then it can no longer authenticate. Tony M
January 24th, 2011 7:59pm
Tony, I would suggest remote wipe after the employee has moved or have the employee submit the phone to you so you can remove the Exchange Account while preserving the users personal data/settings. As for the phones reconnecting and performing
sync after you have changed the account password, I have not seen this happen in any scenario of Exchange EAS. If the password is reset, the phone will prompt for password when a sync is performed and will not continue and most likely
lock the account assuming you have Account Lockout Policy set. If this is not happening then we need to figure out why, some additional logging may need to be initiated but I would perform some field testing to confirm this is indeed the case.MVP Exchange Server
Free Windows Admin Tool Kit Click here and download it now
January 24th, 2011 8:12pm
Thanks John, I will do some more testing. But so far iPhone, iPad and Palm Pre all auto re-connect, no prompt for password. I think account lockout Policy may be what I need to look into. Thanks again.Tony M
January 24th, 2011 8:30pm
Tony,
No problem, if you get issue resolved please post back with your findings as it may help other Exchange Admins. Thanks.MVP Exchange Server
Free Windows Admin Tool Kit Click here and download it now
January 24th, 2011 9:10pm
I found this thread later.
http://social.technet.microsoft.com/Forums/en-US/exchangesvrmobility/thread/fcd0b903-d677-4222-ae92-9180b5977381
"This means that if you change your password in AD there is a latency before this is replicated between DCs and the Exchange server, and then there is some more time before the cached credentials expire. So it's not impossible for your device to be in sync
for some time after you changed the password. But I have not seen an instance where the device doesn't prompt the user eventually." - Andreas Helland
Tony M
January 25th, 2011 5:28pm
Interesting, never thought about that aspect of AD Replication in multi-server environment. Thanks for the feedback.
MVP Exchange Server
Free Windows Admin Tool Kit Click here and download it now
January 25th, 2011 5:47pm