cancel
Showing results for 
Search instead for 
Did you mean: 

What is the best practice after the Exchange Mailbox user is leaving the company ?

Dushan_Gomez
Level 6

Hi,

Can anyone share what is the best pratice to do after you archive the Exchange Server mailboxes with EV according to this article (http://www.symantec.com/business/support/index?page=content&id=TECH67757) ?

Do you still keep it or can you safely delete it from the Exchange Server which will means it deletes the AD account as well.

I've never delete all of my Exchange Server mailboxes in the company before because i do not know what or how to access the archived email from the EV console.

Any kind of help would be greatly appreciated.

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions

Mikeydee135
Level 4

when a user leaves we start by disabling the account (naturally) assign any forwarding rules requested and grant mailbox access to replacements/line managers/colleagues to fit the access required by the particular department. (our archive access syncs from the mailbox rights so this carries accross all legacy mail access also)

 

we then move the user object to a new OU designated for leavers the original plan was for there to be group policies affecting this OU but that never happened, however it allows us to assign this OU to a leavers provisioning group. 

 

members of this provisioning group have a few rules in adition :

1. EVERYTHING is archived daily if it is over zero days old, effectively emptying the mailbox (save a few shortcuts) to the vault

2. shortcuts for items over 6 months old are deleted -this effectively gives us ability to count down to when the account isnt needed - the list will reach very few items. it also means that we can see if clients etc are still messaging this address and if some forwarding should be considered, if the mailbox doesn't shrink in number of items then someone is still mailing them.

 

 

periodically we check excahnge mailbox item counts, if the user has been disabled for at least 6 months and if the number of items is less than 5 it's probably only system items remaining and the mailbox is safe to delete, access has been available to the vault for those who need it via archive explorer etc for at least 6 months. when the AD account deletes all previously synched access is kept and aditional access can be granted via the EV console. 

 

all of our data is kept indefinately, it's only a question of granting the correct access.

 

 

 

View solution in original post

5 REPLIES 5

Mikeydee135
Level 4

when a user leaves we start by disabling the account (naturally) assign any forwarding rules requested and grant mailbox access to replacements/line managers/colleagues to fit the access required by the particular department. (our archive access syncs from the mailbox rights so this carries accross all legacy mail access also)

 

we then move the user object to a new OU designated for leavers the original plan was for there to be group policies affecting this OU but that never happened, however it allows us to assign this OU to a leavers provisioning group. 

 

members of this provisioning group have a few rules in adition :

1. EVERYTHING is archived daily if it is over zero days old, effectively emptying the mailbox (save a few shortcuts) to the vault

2. shortcuts for items over 6 months old are deleted -this effectively gives us ability to count down to when the account isnt needed - the list will reach very few items. it also means that we can see if clients etc are still messaging this address and if some forwarding should be considered, if the mailbox doesn't shrink in number of items then someone is still mailing them.

 

 

periodically we check excahnge mailbox item counts, if the user has been disabled for at least 6 months and if the number of items is less than 5 it's probably only system items remaining and the mailbox is safe to delete, access has been available to the vault for those who need it via archive explorer etc for at least 6 months. when the AD account deletes all previously synched access is kept and aditional access can be granted via the EV console. 

 

all of our data is kept indefinately, it's only a question of granting the correct access.

 

 

 

JesusWept3
Level 6
Partner Accredited Certified

http://www.quadrotech-it.com/products/evtools/free/archive-leavers/

https://www.linkedin.com/in/alex-allen-turl-07370146

Rob_Wilcox1
Level 6
Partner

Please have a read of :

http://www.symantec.com/connect/articles/processing-company-leavers

 

 

 

Working for cloudficient.com

Dushan_Gomez
Level 6

Many thanks for the response guys,

So the correct steps is to disable the account from the AD and then MOVE it into the custom OU for 0 day archiving ?

Rob_Wilcox1
Level 6
Partner

Dushan, there is no "correct" steps really.  There are just options, and which you choose is down to you, your business, your consultants etc, etc.

Working for cloudficient.com