I use Enterprise Vault for Microsoft Exchange and I'm using it as Mailbox Archive and Journal.
Our internal AD Engieering team asked what effort I expect if they plan to redesign the OU structure in our Active Directory forest. It's only a question yet. They only want to figure out if such an action makes sense from the financial point of view.
Where is a AD user object today...
CN=<my name>,OU=Standard Users,OU=Users,OU=<city>,OU=<country>,OU=Production,DC=<company>,DC=com
Where is a AD user object in future...
I think EV will be able to handle such a change since it synchronizes such information that will change. But what about records in a ExchangeMailboxEntry table where the corresponding user left the company and AD account information is no more available?
I also use Discovery Accelerator including Active Directroy synchronization. There is a table with historical user information that is kept for investigations. Does anybody know the possible impact there since this table contains old legacy user information as well.
I could not find a KB article till now that gives you a hint on such plans. Anybody of you already had to support such an action at a customers place and what had to be in mind?
Thank you for any imput from your side. I also opened a case with the same questions.
in EV the way i see this having an impact is if you use OU location or any custom queries for your mailbox provisioning and policies.
in DA unless you're limiting Custodian Manager to a specific OU, this also shouldn't be an issue.
i'm looking at it this way, companies often have OU structures by office/location/whatever and people move around within companies all the time and their accounts get moved too.
The advantage of DA is that it keeps a history of users' moves. The primary reason is to be able to find all the users' data in event of a search.
EV is very good at handling these types of modifications.
Thank you for this input till now.
Provisioning groups are defined as an AD group (in EV called Windows group) in all our EV environments where users will be added by our internal provisioning process. We never used the type Organizaional Unit in this context. In other words AD group memberships won't change.
The corresponding AD group will be transffered to another OU as well but will not be deleted. Memberships will be kept too. The policies are relying on the correspoding provisioning groups. So I'm still on the right way. Right?
But as I mentioned above. If the AD account is already removed EV is not able to update any information around such a user object or mailbox in EV (ExchangeMailboxEntry table). Such an information won't change. Right?
Custodian Manager is not limited to OU's as well. Additionally I added a screenshot with the current Profile Synchronization settings.
I only see one issue there with user objects that cannot be found anymore (employee left the company).
As you said the Custodian Manager keeps all historic user information about such user objects.
Let's think about the following situation:
A employee left the company some time ago. The corresponding user account doesn't exist anymore when such a change will happen. So nothing will be updated around Enterprise Vault and/or Discovery Accelerator in this case.
The user comes back after this OU change and his account will be added to the Active Directroy again - but somwhere in the new OU structure.
What will happen with the existing (old) information in this case since the new user object will cotain another SID and therefore will be interpreted as another user by EV and DA. Right? So I will have two entries in each affected table then. Right?
Thank you for sharing my thoughts.
you're correct, a new AD account gets a new SID and it doesnt matter if the user's display name is the same as someone else since as you know, there can be multiple people with the same name - especially in large companies this is common. everything is tied back to unique identifiers and if you delete an AD account and create a new one, even if it's for the same person, the UID is new.