Directory Synchronization - Disabling Users

This article contains information on managing Mimecast user accounts, including disabling cloud and directory user accounts, handling directory resource forests, and updating Directory Synchronization permissions to prevent login issues or account conflicts.

Mimecast processes emails based on your organization's internal domain email addresses. These serve as a unique identifier for each user's Mimecast archive. These email addresses can exist in the following forms:

• Cloud user accounts that only exist in Mimecast.
• Directory user accounts that are synchronized from your organization's infrastructure.

If you need to revoke access (e.g. when a user leaves your organization) it is important this is done on both the cloud and directory user accounts.

Disabling Cloud User Accounts

When an account is disabled on the directory (i.e. the "useraccountcontrol" attribute in your Active Directory is set to a value of 514). Mimecast automatically also disables the user cloud account when the next directory synchronization is performed.

To prevent a user from being able to log in to their Mimecast account using their cloud password before the next directory sync is performed, the user's cloud account must be manually disabled or purged on the Administration Console.

Users that are no longer presented during synchronization can be automatically purged from Mimecast using the Deleted Users option in your Directory Integration. For full details, see the Directory Synchronization Maximum Synchronization Deletions and Deleted Users article. 
 

Directory Resource Forest Environments

Using Mimecast Directory Synchronization with your organization's directory resource forest, both the Exchange domain and the user domain information are synchronized.  This can cause a single user to have two Active Directory accounts; one enabled in the user domain, and one disabled in the Exchange domain. Consequently, when Mimecast synchronizes with each domain, the user's Mimecast account will be disabled and then enabled, or vice versa. This may result in users not being able to log in to Mimecast applications.

To prevent this from occurring, the permissions for the Mimecast Directory Synchronization user account can be changed to override the user objects in the Exchange domain of the resource forest where the disabled user accounts reside. Setting an explicit deny permission for the Mimecast Directory Sync user account will prevent the "Account Disabled" setting in the Mimecast platform from changing. This can be accomplished with a single permission change for the Directory Sync user, or alternatively, on an individual user basis.

Updating the Directory Synchronization User (Recommended)

1. Open a command prompt as an administrative user.

2. Enter the following command:

   dsacls "OU=Unit,DC=domain,DC=local" /I:S /D DOMAIN\user:RP;useraccountcontrol;user

Where:

• “OU=Unit, DC=domain, DC=local” is the domain of the OU where your user accounts reside
• DOMAIN\user is the domain and username of the Mimecast Directory Synchronization User

Individual User Update: Active Directory Users and Computers

Use this option to affect individual user accounts only.

1. Open Active Directory Users and Computers as an administrative user, ensuring the Exchange domain where user accounts are disabled is displayed.
2. Ensure that Advanced Features is selected from the View menu in the MMC Snap-In.
3. Locate the User to be changed.
4. Open the user's Properties.
5. Select the Security tab.
6. Select the Advanced button.
7. Select the Add button.
8. Enter the name of the Mimecast Directory Synchronization User, select Check Names, and click the OK button.
9. Select the Properties tab from the Permission Entry dialog.
10. Scroll down to find the Read userAccountControl value.
11. Select to Deny this permission.
12. Click OK on each of the three open properties dialog boxes to apply the permission.

See Also...

• Importing Users via a Spreadsheet
• Application Settings