Hi @Brian, there was a question done by @Jjj saying: "This update does not recognize disabled owa access. If I go into the eac and disable owa, the user still has access. Owa is really flakey inngeneral and public folder data is not working right either.
What a mess exchange has become."
And you say to check the KB 2835562. I read the article and the workaround suggested is:
For on-premises Exchange Server
Use Active Directory Users and Computers to disable mailbox access by removing the user’s ability to log on to the Active Directory environment. To do this, follow these steps:1.Open Active Directory Users and Computers.
2.Locate the user whose information you want to edit. To do this, use the Find feature. Or, browse to the organizational unit to which the user belongs.
3.Double-click the user, and then, in the <UserName> Properties dialog box, click the Account tab.
4.Under Account options, select Account is disabled, and then click OK.
Is it my bad english or I understood to disable the user account??? I mean, disable the user account? What if the user goes to the office, needs to logon to his machine, needs to logon to Lync or any other service that use authentication?
(isn't easier to send the employee on undetermined vacations, delete his user account. When MS decides to release CU2 we call the employee back "hey man, vacations are over, come back to work", and we recreate the account? XD XD)
Anyways, there are 2 workarounds I see for this situation.
1. If you have domain-joined ISA or TMG, you can put the users exceptions directly in the OWA publishing rule. Bingo!
2. The above option will only work for Internet users. Any internal user may browse the OWA site bypassing the Publishing server.
In this scenario I onced used this feature:
URL Authorization Feature Requirements (IIS 7)
http://technet.microsoft.com/en-us/library/cc771315(v=ws.10).aspx
Create a Deny Rule for URL Authorization (IIS 7)
http://technet.microsoft.com/en-us/library/cc772441(v=ws.10).aspx
"Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista
Create a Deny rule when you want to prevent access to Web content for specific roles, groups, or users. If you want to further restrict the actions a client request can take, you can also specify that the server will only evaluate this rule when the client
attempts to use certain HTTP verbs—for example, GET or POST."
As the article says, applies to W2008R2. So I don't know if this would work in W2012 (which has IIS8). But if you have Ex2013 running under W2008R2, feel free to test!!!
Honestly, I can't believe Microsoft recommends to disable the user account! XD
Thanks!
(sorry for my bad english)