COMMAND

    Exchange Server

SYSTEMS AFFECTED

    Exchange 5.5 Mailbox with LDAP

PROBLEM

    Wood Adrian found  following.  He  recently logged a  support call
    with Microsoft  after noticing  that some  process automation  was
    not actually  doing the  job.   In line  with the stated direction
    from Microsoft, he has been automating account keeping using  adsi
    to the  point where  a number  of automated  processes source user
    details  from  the  HR  System  and  populates  the NT Sam, allows
    selection of logon processing based on HR workgroups, creates  and
    updates  exchange  mailboxes  with  a  persons current details and
    disables the account  when they leave,  notifying the helpdesk  of
    all activities/changes.  So far so good.

    When a person leaves, a helpdesk  rep uses a web form to  schedule
    deletion of the account.  Here's where the problem occurs...

    Wood has referenced documents from microsoft that describe how  it
    can be done using Exchange 5.5 or 2000 (vaporware until released).
    All seemed well until he noticed that the "Deletion" deletes  only
    the directory entry which is hardly useful!  In fact, it would  be
    down  right  embarrasing  if  we  had  to recover from a directory
    corruption using  the DS/IS  consistency checker  which faithfully
    repopulates the "deleted" accounts into the GAL.

    Reference for details: Article ID: Q252988 BUG: Deleting  Exchange
    5.5 Mailbox with LDAP Poses Security Risk.

SOLUTION

    Being a good and trusting Microsoft customer, Wood logged the call
    expecting - "Here is the patch you need to apply...".  What he got
    was:

      'They have decided not to do so as "It would take a major design
      change  to  change  the  store  behaviour to do integrity checks
      against the DS.  This is way too risky for 5.5. "'

    Don't  use  ADSI  to  remove  mailboxes  as  it doesn't do the job
    regardless of what you might read.