[CanuckBB]

To the best of my recollection, mail sent to a disabled account will bounce.

I assume that the account is automatically disbled by IMS. You need to run a report daily on disabled accounts to make sure all other IT related functions for that account are disabled.

Fully automated termination procedures are generally bad.

[fadmin]

But not sure how is this blackberry issue? If user account in AD is disabled that does not disable exchange mailbox. And that is on purpose done, so mgmt may check from time to time to see if there is business related msgs that needs attn. If you disable mailbox then it will stop mail coming to a BB. Think of this as mail forwarding only done by BES that does it more secure, but it is nothing but mail forwarding. If you had it enabled on the server to forward mail to internal or external emai, then disabling AD acct and not mailbox will continue to work to any account and not just blackberry.
I agree it would be nice to have bes ad integration but this is not BES issue but rather exchange issue.

BBlunk, with your setup I am more concerned that you guys allow personal equipment to connect to a network but provide them with sim? What is the point of that? Not sure in what kind of business you are in but that is huge no no. In any case this should not be too expensive to fix, as I assume that when calculate support cost per user you budgeted that at some point IT dep. would need to do removal of the user as well.

[BBLunk]

@NJBlackBerry: You're right, no consensus has been reached in this thread. I meant to say that the general consensus in our organization is that disabling AD accounts does not prevent BB mail access and is therefore a gaping hole for us. I've not seen anything yet to contradict that opinion. Nico's tests appear to support this opinion, but unfortunately in a Notes environment, not Exchange.

@freakinvibe: The problem, as I understand it, is that the BES using an Active Directory service account for its MAPI calls to the Exchange server. The user's AD account isn't referenced whatsoever. This makes sense, because the BB doesn't authenticate to the BES using AD credentials, so the BES can't impersonate the user in the MAPI calls. The status of User AD accounts seems to have no bearing whatsoever on BB/BES mail sync. This, coupled with us not disabling BES accounts and/or forcing users to surrender their BBs, has left us exposed. It would be awesome if BES would check that AD user accounts are enabled before allowing mail sync, but I can't find anything to suggest that it does.

@CanuckBB: I agree with fadmin... Disabling the AD account does not prevent mail being sent to the associated mailbox, unless you're running Exchange 2003 without the hotfix described in Microsoft KB 903158.

@fadmin: Apologies... We don't actually allow individuals to use their own BB's with a corporate SIM. I was trying to simplify my initial post. I thought it might derail the conversation if I explained that we actually allow some corporate users to keep their corporate BBs when the leave the organization (shock, horror).

I know it's a big ask, but is anyone in a position to run the test below and post the results?

1. Create a test user account in Active Directory and a corresponding mailbox in MS Exchange
2. Create a BES account for the test user
3. Activate a BB for access to the Mailbox of the test user
4. Send/receive mail via BB to confirm it functions
5. Disable the test user account (and wait for AD replication)
6. Attempt to access mail via PC, OWA, iPhone, Android or Windows Phone to confirm that access is denied.
7. Send/receive mail via BB to confirm that access is still allowed

Optionally:
8. Switch SIM in BB. New SIM must also have BES data plan.
9. Send/receive mail via BB to confirm that access is still allowed without reactivation.

Regards,
Lunk

[fadmin]

Ways described in 6. will not work as it does ask for user credentials to authanticate before it lets you in.
7. will work as (simplified) BESAdmin does it for a user. Removing BESAdmin from users mailbox permission will do the same thing, disable redirection.

[Nico57]

Quote:

Originally Posted by NJBlackBerry

I don't agree with that "consensus" (and didn't see it posted anywhere). I believe if the account is disabled in AD, the e-mail to the BB is also disabled.

Instead of believing, just try it.

E-mail access is only one part of the problem anyway.
To me, network access through MDS_CS is actually a much bigger issue.

A user whose AD/Domino account has been terminated, but whose BES account has not been taken care of, still has direct access to the corporate network and can virtually do a lot of bad things.

[CanuckBB]

In the end, you need to make sure IT is notified of employee terminations.