Home > ActiveSync, Powershell, Security > Properly Terminating User Access

Properly Terminating User Access

Security is a big part of any IT professional’s job. Employee turnover is inevitable in any organization and when employee and organization part way, it is not always amicable. For this reason, it is important that when an employee is terminated, they immediately lose access to all company systems. If you ask most IT professionals what they do when HR notifies them that an employee has been terminated, you will get answers like:

  • Change user’s passwords
  • Disable user’s accounts
  • Issue wipe command to mobile devices

Those are certainly good security practices but imagine performing those steps then getting an angry call from the VP of Sales that the Account Manager who just left the company for a position with the competition is sending emails to clients, from their company email account, informing the clients that he now works for company X, which has a superior product.

Your immediate reaction is that this isn’t possible as you have disabled the accounts and changed the passwords. You check Exchange message tracking and verify the emails are indeed coming from the terminated account. What you don’t realize is that disabling an account or changing the password will prevent a new authentication session but it will not affect a current session. In this case, the terminated employee could be logged to the mailbox with a mobile device that hasn’t been wiped, an OWA session, or an Outlook Anywhere session from a personal computer. Those sessions will remain active until they time out, which could be hours or days.

You could perform a IIS reset on your Exchange CAS server, which will reset the connection, but that could be disruptive to other users as their sessions will also be reset. A better way to ensure the terminated employee’s sessions are disconnected is to set the logon hours on the AD account to never. As soon as the current time falls outside the allowed logon hours on an AD account, any active sessions are immediately terminated.

To set the logon hours to never, open the user account in ADUC and go to the Account tab, then click the Logon Hours button.


In the Logon Hours window, click the Logon Denied button.


Ensure the whole grid is white then click OK. Once this change replicates throughout your directory, any active sessions this users has will be terminated.

If you would prefer to set the logon hours to never with powershell, you can run the following command, which requires the Quest AD cmdlets:

Get-QADUser user | Set-QADUser -ObjectAttributes @{logonhours=[byte[]](,0*21)}

The credit for this command is this discussion on the powergui forum.

If you set the logon hours to never as part of your termination process, you will ensure you never get into a situation where a terminated employee continues to have access to resources.

  1. WAKzYon
    October 15, 2012 at 6:17 pm

    Hello Jammie,

    I discovered your updated script to the wizbang exchange tracker, I think its amazing, I have one question though, how can I modify the script to allow the Dashboard Tab (Mailflow charts and top users lists) to be Exported to an HTML report ?

    • jamiemckillop
      October 16, 2012 at 12:28 am


      Thanks for the feedback. I’ll work on adding the functionality to export the Dashboard tab to an HTML file.


  2. October 18, 2012 at 4:57 pm

    I’ve released version 2.1 of the WizBang Exchange Message tracker, which includes an export to html button.


  3. Eva
    February 2, 2013 at 2:31 am

    Thanks for your follow up to your active sync power tool!

    I like the idea of setting the login hours and I do that now, but I still have to do a block of all devices for users and we use a Quest product that performs several actions on accounts when they get disabled. I’m trying to come up with a script that will block and then remove the devices and as you know, if a user account is moved to a new OU then you can’t remove the device because the device identity is tied to the user dn and it never gets updated when a user is moved to a new OU. The only way to delete it is to do it before the user moves to a new OU or using a mapi tool to do it under the users mailbox db level.

    Any ideas how to do a script like this, a block followed by remove?

    • February 7, 2013 at 6:19 pm

      If you have set the logon hours to denied for all hours, there should be no need to block any devices as the user will not be able to connect.

  4. Racha
    May 8, 2013 at 2:16 am

    Jamiemck, just curious how will denying logon terminate owa/outlook anywhere sessions. Those sessions are based on cached user token which doesn’t get flushed every 15 minutes by default on CAS/IIS server. Please elaborate. Thank you.

    • May 8, 2013 at 4:42 pm

      I’m not sure how this works behind the scenes. All I can tell you is that I have tested this and it works.


      • Racha
        May 9, 2013 at 1:28 am

        Thanks for your prompt response. I’ll test denying logon and see what happens. Thanks again.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: