|
exchange
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Disabling user accounts best practiceHello,
Is there a Microsoft recommened best practice for disabling user accounts? I have heard several times that if you just right click on a user account and select disable that this creates performance slow downs for Exchange public folders. This is because for each access to a public folder by any user Exchange has to look up the ACL for the folder and it takes longer to resolve members/permissions when it encounters disabled accounts. I have been told by MS engineers over the phone that it is better to disable user accounts by setting there logon hours to none to avoid this Exchange performance hit but can not find any MS articles to back it up. Any ideas? Thanks, Joe On Wed, 17 May 2006 14:01:02 -0700, Joe
<J**@discussions.microsoft.com> wrote: Show quote >Hello, Some MS boys might need to get their heads out of A) theoreticals, or> >Is there a Microsoft recommened best practice for disabling user accounts? >I have heard several times that if you just right click on a user account >and select disable that this creates performance slow downs for Exchange >public folders. This is because for each access to a public folder by any >user Exchange has to look up the ACL for the folder and it takes longer to >resolve members/permissions when it encounters disabled accounts. >I have been told by MS engineers over the phone that it is better to disable >user accounts by setting there logon hours to none to avoid this Exchange >performance hit but can not find any MS articles to back it up. >Any ideas? >Thanks, >Joe B) their beer glasses. Just disable the accounts for goodness sake. HOWEVER. Don't leave these accounts there for ever. Be pro-active. If a punter has been axed then set the deleted mailbox retention to be something long enough for you to create a new account and attach it to a mailbox if you need, or alternatively just set the account password to be very long indeed (i,e, a passphrase) and then you'll be fine. Well I'm guessing you have never worked in an environment where every cpu
cycle counts or you just don't know the answer to my question and like the sound of your own pen. I am still interested in finding offical MS documentation on this if anyone knows about it instead of personal ramblings. Thanks, Joe Show quote "Mark Arnold [MVP]" wrote: > On Wed, 17 May 2006 14:01:02 -0700, Joe > <J**@discussions.microsoft.com> wrote: > > >Hello, > > > >Is there a Microsoft recommened best practice for disabling user accounts? > >I have heard several times that if you just right click on a user account > >and select disable that this creates performance slow downs for Exchange > >public folders. This is because for each access to a public folder by any > >user Exchange has to look up the ACL for the folder and it takes longer to > >resolve members/permissions when it encounters disabled accounts. > >I have been told by MS engineers over the phone that it is better to disable > >user accounts by setting there logon hours to none to avoid this Exchange > >performance hit but can not find any MS articles to back it up. > >Any ideas? > >Thanks, > >Joe > > Some MS boys might need to get their heads out of A) theoreticals, or > B) their beer glasses. > > Just disable the accounts for goodness sake. > > HOWEVER. Don't leave these accounts there for ever. Be pro-active. If > a punter has been axed then set the deleted mailbox retention to be > something long enough for you to create a new account and attach it to > a mailbox if you need, or alternatively just set the account password > to be very long indeed (i,e, a passphrase) and then you'll be fine. > I think the issue you're referring to relates to the generation of event ID
9548. If you simply disable an account without setting the msExchMasterAccountSid attribute, then PSS has indeed seen cases where the store process goes through several timeouts trying to resolve ACLs. On larger systems, this has contributed, somewhat, to a slower system. I'm not sure this actually documented officially by MS anywhere, though. More information on event 9548 can be found here: http://www.msexchange.org/articles/NoMAS-Tool.html However, before reading that link, note that Microsoft has recently changed the way the store process works for Exchange 2003 via two separate hotfixes (one for SP1, the other for SP2). Applying these fixes means that the store no longer generates 9548s. Read about this here: http://msexchangeteam.com/archive/2006/03/22/422799.aspx Show quote "Joe" <J**@discussions.microsoft.com> wrote in message news:0734F5BA-D6E6-4CA0-818B-EC781E72DEE5@microsoft.com... > Well I'm guessing you have never worked in an environment where every cpu > cycle counts or you just don't know the answer to my question and like the > sound of your own pen. > I am still interested in finding offical MS documentation on this if > anyone > knows about it instead of personal ramblings. > Thanks, > Joe > > "Mark Arnold [MVP]" wrote: > >> On Wed, 17 May 2006 14:01:02 -0700, Joe >> <J**@discussions.microsoft.com> wrote: >> >> >Hello, >> > >> >Is there a Microsoft recommened best practice for disabling user >> >accounts? >> >I have heard several times that if you just right click on a user >> >account >> >and select disable that this creates performance slow downs for Exchange >> >public folders. This is because for each access to a public folder by >> >any >> >user Exchange has to look up the ACL for the folder and it takes longer >> >to >> >resolve members/permissions when it encounters disabled accounts. >> >I have been told by MS engineers over the phone that it is better to >> >disable >> >user accounts by setting there logon hours to none to avoid this >> >Exchange >> >performance hit but can not find any MS articles to back it up. >> >Any ideas? >> >Thanks, >> >Joe >> >> Some MS boys might need to get their heads out of A) theoreticals, or >> B) their beer glasses. >> >> Just disable the accounts for goodness sake. >> >> HOWEVER. Don't leave these accounts there for ever. Be pro-active. If >> a punter has been axed then set the deleted mailbox retention to be >> something long enough for you to create a new account and attach it to >> a mailbox if you need, or alternatively just set the account password >> to be very long indeed (i,e, a passphrase) and then you'll be fine. >> Joe, no need to be rude when soliciting help, you might get
"blackballed". What Mark is trying to say is that Microsoft base most of their recommendations on the theory, while most of the responses you will get here are from the practical. Persons who have actually encountered your situation or concern in the real world situation and have not encountered the theoretical issues that MS mentioned. Maybe the reason you are unable to find any MS articles on the matter is that it might be a MS engineer on the phone rambling. I would take real world experience over theory any day. I have not personally experience any noticeable performance hit for deleted accounts. HATH = Hope All That/This Helps Joe wrote: Show quote > Hello, > > Is there a Microsoft recommened best practice for disabling user accounts? > I have heard several times that if you just right click on a user account > and select disable that this creates performance slow downs for Exchange > public folders. This is because for each access to a public folder by any > user Exchange has to look up the ACL for the folder and it takes longer to > resolve members/permissions when it encounters disabled accounts. > I have been told by MS engineers over the phone that it is better to disable > user accounts by setting there logon hours to none to avoid this Exchange > performance hit but can not find any MS articles to back it up. > Any ideas? > Thanks, > Joe  |
|||||||||||||||||||||||
Other interesting topics