Not sure if this falls under AD or Exchange, but I'm posting here first.
So, I've noticed in AD that we've got a handful of user accounts that are disabled but msExchUserAccountControl is still 0 eventhough userAccountControl is 2. Not every account we disable behaves that way, but some do with no apparent pattern. We use this attribute in searches via LDAP from a external application so we've been getting unexpected results.
So, I'm wondering:
1) What's the difference between the 2 attributes? I can change the LDAP search if they have the same meaning.
2) Is there any affect or issue that this may cause? In particular, from a security standpoint, does this mean that the mailbox is still somehow accessible eventhough the AD account is not?
3) Any way to fix / prevent it from happening?
I couldn't find anyone with the same problem so hoping someone here has some insight.
Thanks.
FYI, AD 2003 functional (mixed 2003 & 2008R2 DCs) + Exchange 2007