Archiving Terminated Users and Automation
Something so simple like employees leaving a company can sometimes cause nightmarish problems with software like EnterpriseVault. In fact it isn't just Enterprise Vault, it is many business related pieces of software, and it is the whole decommissioning of accounts, access rights, mailbox, and archives. In this article I will share with you a really neat way of having some of this automated, or at least have the ability to automate it. I will also explain how I helped one customer do a really neat twist on this approach.
The problem with employees that leave an organisation is that one person who would generally look after the mailbox, and the archived data has gone. That is the employee themselves. They are usually the ones who know almost immediately when their mailbox is full, or data has not been archived, when it should. So it falls back to systems to handle things, and they can be problematic as we all know.
What would be ideal is a way to hoover-up all of the mails, contacts, calendar items and so on in a mailbox, once the employee has left the company. But Enterprise Vault email archiving does not have a command line tool like FSARUNNOW, to process a mailbox. It also doesn't have a particularly clean way to move, or associate a user with a different policy so that, for example, every single non-archived item in a mailbox can have one final pass through it, and get archived. Enterprise Vault is simply lacking that functionality.
So right now, without any additional assistance, many administrators follow this approach: move the user into a higher ranking provisioning group, perhaps based on active directory group membership, run the provisioning task in Enterprise Vault to make the change known to the system. Finally they would then run the mailbox archiving task for that one user, or wait until that evening for the mailbox to be processed in the normal run .. Unless of course the account has been disabled, or the mailbox hidden, or both, in the meantime. (Those issues can be worked around with registry keys on the Enterprise Vault server).
It is not a very slick process. There are a number of steps where there is the potential for something to go wrong, and of course there is a lot of upfront configuration that needs to be done to things like policies, provisioning groups and so on. In some organisations the task of adding the employee to an Active Directory group is something that Enterprise Vault administrators do not have permission to do.
A Different Solution
At QUADROtech we recognise many different needs of Enterprise Vault administrators and have produced several free, and premium tools to help make live a little bit easier. One such tool is called Archive Leavers. This is a small PowerShell snap-in that can automate this employee leavers process. With a small amount of configuration you can then issue commands like
Set-archiveleaver -Mbxalias Somerusername
This makes an Enterprise Vault administrators life much easier. They can keep the provisioning and policy configuration as-is, and they do not have to add people to specific Active Directory groups and run multiple tasks. It is just one command to run, per employee that is leaving, and then a short time later all of the items in that persons mailbox will be archived, and all the contents of the mailbox (item by item) is then deleted.
Of course that isn't the end of this story, it is just the start. After all it is still a pain if you have to log on to the Enterprise Vault server, start PowerShell, import the commandlet, and then issue the command multiple times in one day, or every Friday afternoon. To solve this took the request of a customer of ours. They loved Archive Leavers, but wanted it to be simpler still.
So below are the steps that you can follow to automate this still further, using a Scheduled Task in Windows. The task runs, say, every hour, and runs a command file. That file contains the Archive Leavers that you want to process.
Create a new scheduled task on the Enterprise Vault server - this needs to run as the Vault Service Account.
Set the schedule of the task to your needs, eg Daily at 10am.
The command to run is: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, because we need to use 32 Bit PowerShell
The argument to pass is: -file "C:\Program Files (x86)\QUADROtech\Archive Leavers\runme.ps1" (or a file and location of your choice)
The contents of runme.ps1 should be something like this:
Write-Host "Moving to Archive Leavers folder"
cd "\program files (x86)\quadrotech\archive leavers"
Write-Host "Importing Archive Leavers DLL"
Write-Host "Import finished, Archiving person"
set-archiveleaver -mbxalias wayne11
Write-Host "Sleeping for 30 seconds"
Write-Host "Sleep finished, end of script"
I have not figured out how to get round the execution policies on the system, so I normally use: Set-executionpolicy –executionpolicy unrestricted
To test it out, try:
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -file "C:\Program Files (x86)\QUADROtech\Archive Leavers\runme.ps1"
No need to worry about it running multiple times - try it - the commandlet will “error” out because the second time the user is not enabled for Enterprise Vault archiving any longer.
Now it's not too hard to take that even one step further still, that would be to get the file to read in from a text file somewhere, the list of mailbox/archives to process. I'll leave that to the avid reader though!
You can see though that because Archive Leavers is a nice, small command line tool, it's possible to integrate it, and build up other things around it to suit the needs of the job at hand.
As you can see the Archiver Leavers tool, which comes in a free, yes, free version, as well as a premium version, can really help with automating the task of cleaning up a mailbox from an employee who has left your organisation. It is command line based which takes a bit of time getting used to, but it is then super powerful. Finally with the twist at the end of automating this with a scheduled task .. Well, an administrators life just got a whole lot simpler, right? Just don't let your boss know... But let me know in the comments below whether you have tried the tool, or have any other suggestions or methods that you automate this part of the admin burden that you or your team are involved in.