Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Processing Company Leavers

Created: 25 Jun 2012 • Updated: 03 Jul 2012 | 17 comments
Language Translations
Rob.Wilcox's picture
+5 5 Votes
Login to vote

 

Introduction

One of the tasks facing Enterprise Vault Administrators is how to process mailboxes/archives for people who are leaving the company.  It could be 1-2 people now and again, through natural attrition, or it could be a collection of people in one go, as part of a reduction-in-force (RIF).

Either way working out the 'best' thing to do with their mailboxes, and archives is something that an EV Administrator must think about and tackle at some point.

In this article I'm talking about Exchange mailbox users.  However, some of the same tasks/issues exist for SharePoint users, and other mail systems like Domino.

Lots of Options

There are many options, decisions to make, and things to think about when looking at what can be done with leavers from the company.  It has to be decided if the archive needs keeping at all!  In some companies it might be possible to destroy all old data, or maybe the person leaving hasn't been with the company for very long.  I am guessing though, that most EV Administrators don't get this 'simple' part of the job very often!

Usually the Enterprise Vault Administrator, management, and any Legal and Risk teams need to think about :

 

* Does the archive need keeping?

Most companies don't want to delete anything.  Let alone someone that is just leaving the company.  So the answer to this, for most EV Administrators is "Yes".

 

* Does the archive need to be shared amongst previous team members, or a replacement member of staff?

This often depends on the nature of why the person is leaving, and whether the remaining team need access to some of the related mails, eg shared projects and so on.

 

* Does the mailbox need 'hoovering up' to get rid of ALL the old mail, and instead adding all the mails to an archive?

Personally I think it's great to zero the mailbox before deleting it, or telling an Exchange Administrator team that they can go ahead with their own clean up routines.

 

* Does the mailbox need to not be processed by the Archiving Task of Enterprise Vault after their leaving date?

It would make sense to me not to process the mailbox every night going foward after the person's leaving date.

 

* Does the leaver need to be disabled from Active Directory when they leave?

This is a definite, in my opinion, but again companies vary.

 

* Does the end-date need to all go under the same retention category as existing data, or to a different one?

This is a discussion which needs to be had as to whether the 'final' set of data is kept under different retention.  Legal and Risk teams might have some input on this aspect, or you maybe given free reign to decide to keep the data for a year (for example)

 

* Does the archive need to be kept 'online'?

Some companies decide that they want to keep the data, but not in an online form.  Sometimes they will export the whole of the archive to a collection of PSTs, which can be stored somewhere on the network, or just simply backed-up and then deleted.

 

Once all these sorts of things have been debated you then need to do some of the activities, and then think about automating the growing list.

Normally, the sorts of things that I see being done are:

* Archive everything in the person's mailbox the day they leave

* Disable them in Active Directory

* Disable them from Enterprise Vault archiving

* At some point later share out the person's archive with managers, replacement staff, etc.

One of the ways to archive everything in the person's mailbox is to swap them to a different provisioning group, synchronise (a few times), run the provisioning task (a few times, for good measure) and then run the archiving task manually for that user.  This time it might be wise to ensure that they don't get items archived and replaced by shortcuts; just archiving them may be fine.  Doing this sort of thing is a bit cumbersome and time consuming, and at this point you will now probably have a mailbox with only shortcuts in them.  The mailbox could just be deleted, or, a simple script could go through the mailbox, delete all the shortcuts and report on any issues ore remaining items.

Disabling them from Enterprise Vault archiving is usually a manual step after this.    There isn't a lot of sense in carrying on archiving the leavers mailbox after they have left.  It makes more sense to clean things up once-and-for-all.

Disabling them from Active Directory could be done via a script, or a quick search using AD Users and Computers.

It's always possible at a later time to then share out this person's archive with some other required people.  Again though that becomes a little bit of a pain to manage, but it's do-able.  It can also be tricky then if the leaver returns to the company potentially in a different role, or if someone with the same name starts working for the company.

Some companies even export the whole of the archive at this point, in to several PST files, and then remove it from Enterprise Vault.

The bit that isn't very palatable for many administrators is the manual-nature of most of these tasks.  It would be great with some automation, via custom scripts, or via a tool.

Ideal Sounding Solution?

I spotted an ideal sounding solution a week or two ago, and investigated it a little.  The solution is called Archive Leavers from QUADROtech.  It comes in two forms, a free version (where they ask you obtain a free license after 30 days) and premium version which does a few more things.  I don't have any details on the pricing unfortunately.

The free version lets you archive everything out of a users mailbox, to a particular retention category which you can specify.  It will clear out the users mailbox, to zero items.  It also then disables the user from EV archiving.  It's all scriptable via PowerShell as well, which is great.

I found installing it, using it and doing scripted approaches with it (to process several users) very easy.  They even have a couple of training videos available from their web site (http://quadrotech-it.com) which show how to do the various tasks with the tool.

The premium version additionally lets you disable the user from Active Directory, and turn the leavers Archive in to a Shared Archive.

Summary

Processing leavers from a company is something that every Enterprise Vault Administrator must get involved in at some point.  Whilst there are many manual options available, some of which can be automated by custom-built scripts, there is at least one almost completely automated approach in the form of QUADROtech Archive Leavers tool.

 

Comments 17 CommentsJump to latest comment

Dushan Gomez's picture

Thanks for sharing it here Rob !

Dushan Gomez
IT Manager
VCP 4 and 5 | MCITP Exchange Server | MCTS SharePoint Server | MCP Windows XP

 

0
Login to vote
patriot3w's picture

Hi Rob, does EV provide any tool or script to remove the archive automatically? Thanks.

0
Login to vote
Rob.Wilcox's picture

To remove what automatically?

0
Login to vote
patriot3w's picture

Sorry Rob, to remove the archive automatically. This is a requirement from our customer. The reason is simple: to clean up the enterprise vault just like clean up the AD.

0
Login to vote
Rob.Wilcox's picture

No there isn't. Would seem like a dangerous operation/idea... you hoover up all the data from exchange, into an archive, and then delete it?

Maybe in the future there will be programatic ways to export to PST, and then delete the archive. You'd have to discuss the requirement with product management or account management.

+1
Login to vote
patriot3w's picture

Hi Rob, we already escalate to account mangement. I think need to raise an enhancement requirement. Is there any API available in EV to do this?

+1
Login to vote
Dushan Gomez's picture

Yes patriot,

I also got the similar question from my manager is it possible to offload the vault store items to the tape drive for archiving ? simply because adding more and more disk space into the server will be much harder to manage later on. (no more drive letters left and disk space issue).

Dushan Gomez
IT Manager
VCP 4 and 5 | MCITP Exchange Server | MCTS SharePoint Server | MCP Windows XP

 

+1
Login to vote
Rob.Wilcox's picture

No, no supported API.

+1
Login to vote
patriot3w's picture

Hi Dushan, we are using mounting point so don't have issue on the drive letter, maybe you can consider this one...it support auto roll over.

+1
Login to vote
John Santana's picture

Hi,

I need to do the export of coplete mailbox, so I wonder if this tool can do it for me ?

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

0
Login to vote
Rob.Wilcox's picture

No, the Archive Leavers tool will ingest everything from a mailbox in to EV.

0
Login to vote
John Santana's picture

Wow that sounds cool, I'll better download that to try it on exporting 40+ mailboxes over the weekend.

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

0
Login to vote
Rob.Wilcox's picture

If you get into any problems, or have any suggestions, please let me know (send me a PM or email)

0
Login to vote
John Santana's picture

No worries Rob, after I watch the video about this utility, it is the tool that I need.

hopefully it is working fine with my EV 8 SP4 and Exchange 2007 SP1. Does the tools automatically delete the exchange mailbox of the users that I archived after executing the powershell statement ?

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

0
Login to vote
Rob.Wilcox's picture

No, the mailbox won't be deleted.

It has been talked about, but at the moment the mailbox is left.  It can be used then as a final check, to make sure that it is truly empty.  In the premium version of the tool the AD account can be automatically disabled after the archiving 0day and shortcut clean up takes place.

+1
Login to vote
John Santana's picture

OK, then I can try it on my test user in the team without causing so much issue on the production.

Wow that's cool, many thakns for sharing this great stuff.

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

0
Login to vote