Forum Discussion

Dushan_Gomez's avatar
13 years ago

What is the best practice after the Exchange Mailbox user is leaving the company ?

Hi,

Can anyone share what is the best pratice to do after you archive the Exchange Server mailboxes with EV according to this article (http://www.symantec.com/business/support/index?page=content&id=TECH67757) ?

Do you still keep it or can you safely delete it from the Exchange Server which will means it deletes the AD account as well.

I've never delete all of my Exchange Server mailboxes in the company before because i do not know what or how to access the archived email from the EV console.

Any kind of help would be greatly appreciated.

Thanks

  • when a user leaves we start by disabling the account (naturally) assign any forwarding rules requested and grant mailbox access to replacements/line managers/colleagues to fit the access required by the particular department. (our archive access syncs from the mailbox rights so this carries accross all legacy mail access also)

     

    we then move the user object to a new OU designated for leavers the original plan was for there to be group policies affecting this OU but that never happened, however it allows us to assign this OU to a leavers provisioning group. 

     

    members of this provisioning group have a few rules in adition :

    1. EVERYTHING is archived daily if it is over zero days old, effectively emptying the mailbox (save a few shortcuts) to the vault

    2. shortcuts for items over 6 months old are deleted -this effectively gives us ability to count down to when the account isnt needed - the list will reach very few items. it also means that we can see if clients etc are still messaging this address and if some forwarding should be considered, if the mailbox doesn't shrink in number of items then someone is still mailing them.

     

     

    periodically we check excahnge mailbox item counts, if the user has been disabled for at least 6 months and if the number of items is less than 5 it's probably only system items remaining and the mailbox is safe to delete, access has been available to the vault for those who need it via archive explorer etc for at least 6 months. when the AD account deletes all previously synched access is kept and aditional access can be granted via the EV console. 

     

    all of our data is kept indefinately, it's only a question of granting the correct access.

     

     

     

  • when a user leaves we start by disabling the account (naturally) assign any forwarding rules requested and grant mailbox access to replacements/line managers/colleagues to fit the access required by the particular department. (our archive access syncs from the mailbox rights so this carries accross all legacy mail access also)

     

    we then move the user object to a new OU designated for leavers the original plan was for there to be group policies affecting this OU but that never happened, however it allows us to assign this OU to a leavers provisioning group. 

     

    members of this provisioning group have a few rules in adition :

    1. EVERYTHING is archived daily if it is over zero days old, effectively emptying the mailbox (save a few shortcuts) to the vault

    2. shortcuts for items over 6 months old are deleted -this effectively gives us ability to count down to when the account isnt needed - the list will reach very few items. it also means that we can see if clients etc are still messaging this address and if some forwarding should be considered, if the mailbox doesn't shrink in number of items then someone is still mailing them.

     

     

    periodically we check excahnge mailbox item counts, if the user has been disabled for at least 6 months and if the number of items is less than 5 it's probably only system items remaining and the mailbox is safe to delete, access has been available to the vault for those who need it via archive explorer etc for at least 6 months. when the AD account deletes all previously synched access is kept and aditional access can be granted via the EV console. 

     

    all of our data is kept indefinately, it's only a question of granting the correct access.

     

     

     

  • Many thanks for the response guys,

    So the correct steps is to disable the account from the AD and then MOVE it into the custom OU for 0 day archiving ?

  • Dushan, there is no "correct" steps really.  There are just options, and which you choose is down to you, your business, your consultants etc, etc.