How long does Activesync to Exchange cache credentials?

I had a user last night who's AD account was locked out at 6:30 PM EST.  However even though his account was locked out, email was still working without a problem on his activesync connected iPhone device.  When an account is locked, shouldn't all access be terminated until it is unlocked by an admin?

How long would he have been able to read and send emails with a locked AD account using his iPhone device?  He was still able to email me about this at 6:37 AM EST today, so over 12 hours with the account locked, his email was still working.

Note, OWA access was denied, but ActiveSync worked fine.

We've noticed this before when people change passwords, the email still works with the old password for awhile on the IOS device and eventually it prompts them about invalid credentials and they enter the new password to restore connectivity.  So how long is this hash or ticket cached?

June 4th, 2015 7:25am

Hi,

ActiveSync can support cache of 24hours

You can disable ActiveSync functionality through the following way

1. Get info about the user

Get-CASMailbox <user> | Select ActiveSyncAllowedDeviceIDs, ActiveSyncBlockedDeviceIDs

Get-ActiveSyncDeviceStatistics Mailbox <user> | fl DeviceID


2. Block all Devices for the user
Set-CASMailbox -Identity <user> -ActiveSyncBlockedDeviceIDs "<DeviceID_1>,<DeviceID_2>"

Free Windows Admin Tool Kit Click here and download it now
June 4th, 2015 7:39am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics