Deleting Mailbox-Enabled Users

If you choose to delete a mailbox-enabled user or group, the mailbox in the message store of the Exhange 200x server will not be disabled. To disable the mailbox, you should clear the following attributes in Active Directory before deleting the account:

Attributes to Clear

homeMDB,
mail,
mailNickname,
homeMTA,
legacyExchangeDN,
msExchHomeServerName,
msExchMailboxGuid,
msExchPoliciesIncluded,
proxyAddresses,
textEncodedORAddress

By clearing these 9 attributes from the user properties before deleting the user account, Active Directory will notify the Exchange 200x server that mailbox attached to this account should be disabled.

userPrincipalName (User-Principal-Name)

The userPrincipalName is a single-valued and indexed property that specifies the user principal name (UPN). The UPN is an Internet-style login name for the user. The UPN is shorter than the distinguished name and easier to remember. The point of the UPN is to consolidate the e-mail and logon namespaces so that the user need only remember a single name.

The UPN as the Preferred Logon Name

Users should use their UPNs to log on to the domain. At logon time, a UPN is validated first by searching the local domain, then the global catalog.
By convention, the UPN should map to the user's e-mail name.

The UPN can be assigned, but is not required. Once assigned, the UPN is unaffected by changes to other properties of the user object. If a parent domain was renamed or a domain was moved the user can keep the same login name, even if the directory is radically restructured.

The UPN Name Structure

The UPN must be unique among all security principal objects within the directory forest.
The user principal name has two parts: the UPN prefix (the user account name) and the UPN suffix (a DNS domain name). The parts are joined together by the @ (at sign) to complete the UPN.

The UPN can consist of any name for the user (such as the sAMAccountName) and the domain tree name or an email domain name

Sample User Principal Name:

name@domain.com, Email.Name@emailAddress.com

Common Active Directory Attributes, Syntaxes, and Meanings

The following contains a number of commonly used Active Directory attributes, their meanings, their syntax, and what objects contain them in the default Active Directory schema:

accountExpires (user)
The date which a user account will expire. This attribute takes the form of a long (64 bit) integer. To convert this value into a textual date use the ADSearch Convert function.

canonicalName (all objects)
A type of name for an object which takes the form of "domain.com/container/container/object". This style of name is very human readable. This attribute takes the form of a string.

cn (user, group, computer, contact)
The uplevel name of an object. It is the leaf part of a distinguishedName (for example, the "cn=joe" of "cn=joe,ou=someou,dc=domain,dc=com".)

dc (domainDNS)
The uplevel name of a domain. It is the leaf part of the distinguished name of the domain (for example, the "dc=domain" of "dc=domain,dc=com".)

distinguishedName (all objects)
This is the distinguished name of the object. It represents the full path to an object (without the server and provider) in the directory. This attribute takes the form of a single valued string. If you are searching the active directory, this attribute cannot be used as a key to search on. This is because it is a generated attribute (that is, it is generated everytime it is asked for).

isCriticalSystemObject (all objects)
This attribute specifies whether an object is critical for the operation of Active Directory. This attribute takes the form of a Boolean value. If its value is true, the object is critical to Active Directory and is not deletable.

logonHours (user)
The times which a user is allowed to log on. This attribute takes the form of an octet string (a sequence of hexadecimal characters with each set of two characters representing one byte.) To convert this binary data into a more meaningful set of data, use the ADSearch Convert function.

member (group)
The objects which are members of the group. This attribute takes the form of a multi-valued string, with each element being the distinguished name of a member. If the member is a Foreign Security Principal, the distinguished name will be in the form "CN=sid", where sid is the SID of the member.

objectCategory (all objects)
Represents the path to the schema class of which an object is an instance. This attribute takes the form of a single valued string. If searching for objects, it is recommended that this be used instead of the objectClass, as it is an indexed attribute and replicated to the Global Catalog. Note that the whole path need not be used to search on this attribute, rather only the cn of the class (for example, person for user and contact, and organizational-unit for OUs.)

objectClass (all objects)
Represents the inheritance hierarchy of an objects class. This attribute takes the form of a multi-valued string.

objectGUID (all objects)
A GUID which uniquely identifies an object within the directory. This attribute takes the form of a raw binary string, with each set of two characters representing one byte of binary data. To convert the raw binary data that is retrieved from this attribute to a more readable or useful form, use the ADSearch Convert function.

objectSid (all security principals)
Contains the security identifier of an object. This SID can be used to represent an object in various places on the network (Active Directory, File System ACLs, or anywhere else users are added to ACLs.) This attribute takes the form of a raw binary string, with each set of two characters representing one byte of binary data. To convert this binary value into a more useful textual value use the ADSearch Convert function.

ou (organizationalUnit)
The uplevel name of an organizational unit. It is the leaf part of the distinguished name of an organizational unit (for example, the "ou=someou" of "ou=someou,dc=domain,dc=com").

sAMAccountName (user, computer, group)
The downlevel name of the object. This is the name that will be seen by downlevel administrative tools and other pre-windows 200x tools. This attribute takes the form of a single valued string.

userAccountControl (user)
A set of bit flags defining certain properties of a user. This attribute takes the form of a 32-bit integer. This attribute is a combination of the following bit values:
Value Description
1 The logon script will be executed.
2 The user account is disabled.
8 A home directory is required.
16 The account is locked out.
32 The account does not require a password.
64 Account is not allowed to change password.
512 The account is a typical user account.
65536 The account password never expires.

Convert Raw AD Properties

Adsearch v3.0x features a conversion tool to convert from raw unreadable active Directory properties to readable properties.

GUIDRaw
Convert the raw form of a GUID to The textual form of a GUID.

SIDRaw
Convert the raw form of a SID to The textual form of a SID.

LHRaw
Convert the raw form of hours representation such as the attribute logonHours to the textual form of hours representation such as logonHours. Example: "1-24<-><->8-17<->...."

IRawDate
Convert the raw form of a date in integer format such as accountExpires to the textual form of a date.

Quick How To

Adsearch 3.0x and up allows you to quickly copy and paste the raw information into the conversion tool and convert it to a readable form.

Example:
To get the last password reset date and time in a readable format.

From the menu select Search Active Directory; select the domain and the bindserver to logon to.
Select ObjectType: user
Select SearchBy: name
Select SearchResults: pwdLastSet
Enter ALL for Refine Search

Once the results for all users are returned and the last password set looks like: 128153342196114592, double click an account name. In the popup Copy to Clipboard Window, select 128153342196114592.

Once this is done, select ADSearch Tools from the menu and choose Convert Raw Active Directory Data.

Select the domain to convert the information and choose Convert Raw Date to Textual Date
In the Enter Raw Date popup, right click the textbox and paste the raw date from the clipboard.

The raw date will convert to: 02/07/07@11:03:39

With ADsearch, you can use this method to convert raw Dates, SIDs, GUIDs and compound Times