Disable & Enable Organizations in Exchange 2010 SP1 multi-tenant

One thing I have noticed while working with Exchange 2010 SP1 installed in hosting (or multi-tenant) mode is the lack of the possibility to disable/enable a tenant organization.

There is a lot of scenarios when disabling a tenant organization can be very handy and useful. For example if a client didn’t pay, you might want to suspend his account without deleting the whole organization and making him lose data.

I have recently developed my own scripts to disable and enable, or suspend and resume, a specific organization for a client of mine and never thought of sharing them until yesterday when this same question popped up on the technet forum and I thought that they might be helpful for some of you so here they are.

Disclaimer

I need to start with a disclaimer, I have built these script for my own use so they are not polished and might be lacking a lot of features and surely have some bugs. Although I am ready to work on them and enhance them if they find interest and feedback I am not to be held responsible for any damage they might cause to your environment. So, in short,

THE SCRIPTS ARE PROVIDED FREE OF CHARGE AND “AS IS” WITHOUT WARRANTY OF ANY KIND, AND MAY NOT BE ERROR FREE. ANTOINE KHATER, THE AUTHOR OF THESE SCRIPTS, DISCLAIM ALL WARRANTIES AND LIABILITY FOR ANY KIND OF DAMAGES AND/OR LOSS.

Disable-Organization.ps1

This script disables, or suspends, a tenant organization and has 2 modes.

  • Passing Mode [default]: When run in passing mode this script will deny users access to their emails, however incoming emails will not be blocked.
  • Blocking Mode: Set by using the -Blocking:$true parameter. In this mode the script will not only deny users access to their emails butt will also block all incoming emails. Incoming mails to users of a blocked organization will be rejected

Requirements: This script makes use of the CustomAttribute15 in Active Directory. This attribute should be free and available for Disable-Organization to work.

How it works (pseudo-code)

  1. Get all user accounts in the tenant organization
  2. For each user in the tenant organization
    • If user is enabled
      • Change CustomAttribute15 to “Administratively Disabled” : This is used to identify users that were disabled by the script
      • Disable the user
    • If script running in blocking mode
      • Add to the AcceptMessagesOnlyFrom list the user itself: This will block all external incoming emails if initially allowed

Example

.\Disable-Organization.ps1 -Organization OrgName -Blocking:$true

Enable-Organization.ps1

This script enables, or resumes, a tenant organization.

Requirements: This script makes use of the CustomAttribute15 in Active Directory. This attribute should be free and available for Enable-Organization to work.

How it works (pseudo-code)

  1. Get all the mailboxes in the tenant organization
  2. For each user in the organizarion
    • If user was administratively disabled
      • Clear the CustomAttribute15
      • Enable the user
    • Remove user itself from the AcceptMessagesOnlyFrom list: Restore the user to its original state

Example

.\Enable-Organization.ps1

Download

Disable-Organization.ps1 (Last edit 2010-10-16)
Enable-Organization.ps1 (Last edit 2010-10-16)

Conclusion

If you use these script, enhance them, find bugs or just have a feature request kindly drop a comment below.
I hope these will be helpful to some.

I have been working in IT consultancy and solution integration since 1998 and I consider myself lucky to be, one in a few, making a living out of my passion. I am also member of the famous Experts Exchange (profile here) online community where I try my best to share what I have learned along the road.

Posted in Messaging & Collaboration Tagged with: , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

*