12-14-2017 03:24 PM
Close to 7 years ago we implemented Enterprise Vault. Minus some hiccups along the way, it has performed pretty well. At the time of implementation, a blanket 7 year retention for every mailbox/employee was set by our legal and compliance teams, and we have stuck with that throughout the years. Exchange journal archiving was configured with one journal mailbox and one archive task, so we have one monolithic Exchange journal archive.
Coming up on the first expiry run soon in January, compliance and legal have now decided that several accounts (maybe two dozen or so) will actually be "retain forever" for compliance reasons.
This is fairly straightforward from the individual mailbox perspective. My plan is to target a newly created AD group with those individuals in it with a new provisioning group, and set the "Forever" retention policy rather than our standard 7 year policy. However, this only takes care of e-mail that the user has allowed to be archived in their personal vault (IE, things they didn't delete before archiving moved it).
Because we are a public entity we are occasionally required to respond to public records requests, which means that we do a journal search with Discovery Accelerator to satisfy those. For the users that have been defined as "keep forever", I need to come up with a way to separate messages to or from them in the journal archive and retain those, while expiring the rest of the journal archive contents at 7 years.
Going forward with this "keep forever for a few people" requirement, I'm going to be configuring a separate journal mailbox for those users in exchange, and will archive that to a separate journal archive that can have a different retention category applied. But I need to address the existing monolithic journal archive that contains a mix of "keep forever" and "expire after 7 years" messages. Somehow I need to extract the "keep forever" peoples' messages from the archive, split the archive somehow so I can expire the rest and retain only the stuff needed. My thought was to do some kind of export of the "keep forever" items, then re-import those into the new "keep forever" journal, and let the duplicates expire with the rest on the 7 year schedule... but I'm not sure if that's the most elegant way to get this done.
For those of you who are really experts with EV, can you give me some pointers about the best route to go here? I am open to any ideas/suggestions/etc. Hopefully my description of the problem I'm trying to solve is understandable. I can clarify if needed.
12-14-2017 10:47 PM
This is more easy than you think.
You can use DA to 'fix' this. In short: Create a case, select legal hold, create a search. Set the date criteria as start of archiving date (or whatever is the earliest date in the archives), enter the emailaddresses of the people you need to keep forever. Run the search.
Now, all items it finds will be on hold, and will not be deleted by Storage Expiry.
If you use Custodian Manager, use that to make the group of users, otherwise make sure you have all emailaddresses for the users. I get them from Exchange (get-mailbox id | fl emailaddresses)
You then might want to try an export of the items and see if an import in either a shared archive or in a temporary Journal Mailbox allows rearchiving with the new retention.
I personally would stick with the DA search and the items on hold.
12-14-2017 10:50 PM
And, be advised that creating a new PG for those users personal archiving is the way to go, the new retention only applies to items as of when the new PG is used. it is not going to set the already archived items to 'keep forever'.
You need to set this on each of the archives. (do not allow automatic expiry, and preferably also 'user cannot delete items')
12-15-2017 06:49 AM
I like the idea to use DA to pull the mail out for the forever archive. On the exchange side journal those mailboxes to a new journal, on the vault side put the new journal in a new archive with forever retention, import the mail that was exported from DA.
I like the legal hold idea for the short-term 'dont archive for 6 months or so' condition.