Skip to main content

You must disable the account or change the user account password because a security breach occurred. The user has an Exchange mailbox linked to the account. Disabling the user in Active Directory and thinking that you are done now is NOT correct. Because the old password will still work for a while, and the user can still sign in. In this article, you will learn how to disable the account or change the user account password and ensure that the user can’t log in.

IIS user token cache

An HTTP client such as Exchange ActiveSync (EAS), Outlook Anywhere, Outlook Web Access (OWA), or Exchange Web Services (EWS) are still able to connect to its mailbox after its account has been disabled. Clients may also be able to connect by using an old password after the password has been changed.

Microsoft Internet Information Services (IIS) caches the user’s token so that Windows logon occurs only during the initial logon or after the token has been flushed. (This flushing occurs when the TTL [default setting of 15 minutes] for the token expires.) If the user reconnects before the TTL has expired, the TTL will be reset. It may require 8-24 hours before the changes are recognized.

To clear the token cache and force the client to authenticate, use one of the following methods below.

Solution to Exchange mailbox user login after account changes

The first two methods will restart IIS, which is the best way to ensure that all connections will disconnect after resetting the password or disabling the account in Active Directory. The third method will work excellently, but it’s not a complete IIS restart.

Note: Pay attention that when you restart IIS on the Exchange Server, all mailboxes connected to that Exchange Server will lose connection for a brief moment.

1. Restart IIS on Exchange Server

Sign in to Exchange Server and restart IIS to have the changes taken immediately into effect. Do this on every Exchange Server.

PS C:\> iisreset

2. PowerShell script to restart IIS on all Exchange Servers

Suppose you have more than one Exchange Server and want to avoid signing in on every Exchange Server to restart IIS. Instead, it’s easier to copy/paste the Restart-ExchangeIIS.ps1 script into PowerShell ISE and run it. This will restart IIS on all Exchange Servers
Run this on a Management Server or Exchange Server because you need the Exchange Management tools installed.

# Load Exchange Management Shell PowerShell Snap-In
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn

# Get All Exchange Servers
$Servers = Get-ExchangeServer

# Go through the list and restart one by one
foreach ($Server in $Servers) { 
    Write-Host "Restarting IIS on server: $($Server.Name)" -ForegroundColor Green
    IISRESET $Server.Name

    # Optional: Get the Status
    Write-Host "IIS status for server $($server):" 
    IISRESET $server.Name /status
Write-host "IIS restarted on all Exchange Servers." -ForegroundColor Green

This is how it looks.

Prevent Exchange mailbox user login PowerShell ISE

3. Recycle Applications pools

Run PowerShell ISE as administrator. Next, copy/paste the below script and run it.

Restart-WebAppPool -Name "MSExchangeSyncAppPool*"
Restart-WebAppPool -Name "MSExchangeServicesAppPool"
Restart-WebAppPool -Name "MSExchangeOWAAppPool"
# Restart-WebAppPool -Name "DefaultAppPool" # Exchange 2007 and Exchange 2010 only
Restart-WebAppPool -Name "MSExchangeRPCProxyFrontEndAppPool"
Restart-WebAppPool -Name "MSExchangeMAPIFrontEndAppPool"

Disable mailbox user account and check OWA

Go to Active Directory Users and Computers. Next, disable the user account, which has a mailbox account.

In this example, it’s the user account, Boris Campbell.

Prevent Exchange mailbox user login disable account

Go to the Exchange OWA address, and you can still sign in to Exchange OWA.

Prevent Exchange mailbox user login signed in OWA

Run one of the above three resolutions to clear the user token in the cache and force the client to authenticate.

Prevent Exchange mailbox user login signed out OWA

The user is logged out and can’t sign in anymore.

Leave a Reply