We are querying a number (dozens) of LDAP servers (mostly Active Directory, but not exclusively) to determine which mailboxes are active, for the purpose of a mail gateway/forwarding application.
We have come across some instances where userAccountControl has bit 2 set to true (aka ACCOUNTDISABLE), but where the mailbox was still active.
I suppose this would correspond to a Windows login account which was disabled, but for whom the mailbox is still active.
Does this ever really make sense? Or is this simply a broken configuration?
If it does make sense, is there any way via LDAP to reliably detect this configuration (i.e. that userAccountControl is disabled, but that the mailbox is not disabled)?
We are currently ignoring the userAccountControl disabled attribute, because it seems to sometimes (although a small minority of cases) correspond to an active mailbox. We would like to reliably detect this situation rather than leaving these hundreds of "disabled" mailboxes active.
I'd say that
msExchMailboxGuid
would be the best, since every active mailbox must have one, and exchange delete the value when the mailbox is disabled (Tested on Exchange 2010 with the latest updates).As for other mail servers that integrate with LDAP directory, I can't tell because I've never worked with one.
There are actually two disabled states for an Exchange mailbox.
What many people consider "disabling" occurs when the Disable-Mailbox cmdlet is run. This actually removes most of the Exchange attributes from the account, and disconnects the mailbox.
There is however an AD attribute msExchUserAccountControl. If this is set to 2, the mailbox is disabled. The enabled/disabled status is typically the same as userAccountControl and is controlled by Exchange.
If msExchUserAccountControl exists and is 0, the mailbox is technically enabled.