Forum Discussion

reevesbl's avatar
reevesbl
Level 3
15 years ago
Solved

Enterprise Vault - Disable accounts

Platform: Enterprise Vault 9.0.2

Vault Server: 2K3 R2 Enterprise Edition 23 Bit

 

We have an opportunity to clean up our Active Directory, Exchange, and Enterprise Vault but want to make sure we are following best practices and due to some issues found along the way need some help.

 

1. Currently have over 2 thousand AD accounts. Some are disalbed and hidden from the Global Address Book (GAL) in Exchange and some are still enabled but reside in a specific OU for easy identification. We want to remove them all from AD, Exchange, and at a minimum disable them in the EV.

*** If you delete a user from EV does it exclude them from any future Discovery Accelerator searches? We have journaling enabled.

2. We noticed that if the accounts were hidden from the GAL we could not locate them in EV using the Disable Account wizard. Each account is tagged with a common delimiter so we can easily identify them in searches.

3. Our provisioning groups are set to target specific Organizational Units in Active Directory vice using the "Whole Exchange Organization" feature.

*** If the accounts we want to disable are relocated outside of the target OU's does this exclude the accounts from any searches in EV?

 

*** What are the proper steps to disable / remove a user from Active Directory, Exchange, and Enterprise Vault? What are the recommended steps?

*** Are there any negative to deleting the account versus just disabling it in Enterprise Vault?

*** What are the requirements for the account to be available when using the "Disable Account" wizard in Enterprise Vault?

 

Enterprise Vault
Information Governance
  • JesusWept3's avatar
    JesusWept3
    14 years ago

    to be honest, your best bet would probably be to just run a sql query to change the mbxArchivingState of those disabled users as opposed to having to reprovisioning and then disabling, because all the disablement does is update the hidden message in the mailbox, and then change the sql attribute, doesn't seem worth it really.

    As for Discovery Accelerator, it deals in just archives and not mailboxes, so as long as the user has an archive, whether exists in AD, has been deleted or disabled or hidden or provisioned etc, doesn't matter, all that matters is that the Archive is not set to a status of "Unavailable" which you can only really do via a sql update to the Archive table via SQL

2 Replies

  • Percy_Vere's avatar
    Percy_Vere
    Level 6
    14 years ago

    There is no white paper or Best Practice that I am aware of. The creation of an OU for leavers which maps to a provisioning group and leavers policies that are not enbled for archiving should be enough. The leavers PG will need to be at the top of the list of PG's.

    You then archive all the mail in their mailboxes using the 0 day mailbox policy -

    http://www.symantec.com/docs/TECH67757

    You can then disable them from archiving via the Disable Mailbox Wizard. You can then export their archives to PST and then delete the archive and subsequently the mailbox if you wish.

    To view Mailboxes that are hidden in the GAL so you can disable them - http://www.symantec.com/docs/HOWTO37769

  • JesusWept3's avatar
    JesusWept3
    Level 6
    14 years ago

    to be honest, your best bet would probably be to just run a sql query to change the mbxArchivingState of those disabled users as opposed to having to reprovisioning and then disabling, because all the disablement does is update the hidden message in the mailbox, and then change the sql attribute, doesn't seem worth it really.

    As for Discovery Accelerator, it deals in just archives and not mailboxes, so as long as the user has an archive, whether exists in AD, has been deleted or disabled or hidden or provisioned etc, doesn't matter, all that matters is that the Archive is not set to a status of "Unavailable" which you can only really do via a sql update to the Archive table via SQL