Two sure-fire ways to deal with company leavers
Created: 16 Jun 2013 | Updated: 08 Jul 2013
With the downturn in the economy globally, and of course just through natural churn of employees, the topic of what to do with end-users mailboxes of terminated employees is something that is commonly discussed amongst Enterprise Vault administration teams. There are few different ways to process these types of requests, and in this article I'll show you two that I think are most common.
0-Day, Archive everything Policy
Within Enterprise Vault the only way to ingest all of the data out of a users mailbox is to setup a 0-Day, Archive Everything Policy. This policy needs to have a few things in it, in order to successfully ingest every item in a mailbox:
- All message classes need to be selected
In some cases I've seen people setup an IPM.* entry on the properties of their Directory, which controls the master list of message classes that the whole environment works with. They then add this 'new' message class to a new specific mailbox archiving policy.
- 0 Day
In other words, if you normally archive based on age, or quota or a combination of them, then you need to make sure the new policy is set to 0 day. It will look something like this:
One other thing that people then consider is whether or not this policy should leave shortcuts behind after archiving, or not. Some people go with the idea that the policy should. This way if you check the mailbox after you've performed the leavers process it will contain only shortcuts. Some people say that you shouldn't create shortcuts, after all you're going to delete the mailbox soon (or the Exchange administrators are). The choice of what to do here is down to your own personal preference.
With these three things set, then, the next thing to do is to have a way of getting your user(s) in to this policy. The most common way to do this is to have a different provisioning group, probably the highest one in the list, and have it based on Active Directory group membership. You might for example create a group called 1-CompanyLeavers. You would then create a provisioning group with the same name (for consistency, it's not a strict requirement) and when you then add the employee you wish to process to the specific group, and the provisioning task next runs, the user will be moved to the appropriate group - ready for processing.
You are then almost ready to begin actually processing the mailbox. First though you then have to verify that you're ready, by checking in the Vault Administration Console that the user is truly going to be targeted by the correct policy. The easiest way to do this is to right click on the label 'Exchange' underneath 'Targets' in the console and choose 'Display Policies Assigned to Mailboxes'. I would also suggest looking at the Vault Store usage report for the Vault Store where this archive resides, and checking the size, and count of items. You're going to expect that to go up after you've processed the mailbox.
Once you've validated that the correct policy is in place, you then need to run the mailbox archiving task for that one user.
After that you're done.. except of course you would probably then need to validate the mailbox itself, versus the archive. I would normally check the Vault Store usage report again, and verify that the numbers have indeed gone up, and I'd even be tempted to look in the archive and see if there are newly archived items, and even check the mailbox to make sure that there are no non-archived items left behind.
This can be a long, drawn out process, and is something that I've seen build up at customer sites so that when they do come to do it it takes them days to get through all the different mailboxes that they have had to process.
There is a much simpler way......
Archive Leavers Tool
We have a tool that can dramatically simplify the process outlined above. It is called Archive Leavers. The tool uses the Enterprise Vault API to archive everything in an end-users mailbox, and remove all the items afterwards. The tool has other features which many people will like:
- It's PowerShell based, ie command line, therefore it can be incorporated into other processes which take place when an employee is terminated.
- It completely empties the end-user mailbox, meaning that if you go and check the mailbox afterwards there will be no items left in it - it's a visual indicator that the process was successful
- Disable the mailbox from archiving in EV - this saves that one-extra-step
- Disable the Active Directory account after the process has complete - again it saves another extra step
- Optionally convert an archive to a 'shared archive' with the folder hierarchy in tact - this makes it easier to 'give' the archive to other colleagues who perhaps need access to some of the data in the archive from time to time.
- Best of all the tool is free! Some of the features mentioned here though are only available in the premium version, but I'm sure if you put forward a good use case to us we'll make sure you're happy in the end.
When we've shown people the archive leavers tool they love how simple it is, and how few steps are involved in processing a mailbox.
So in summary processing company leavers with the methods built into Enterprise Vault is a cumbersome task with many, many steps involved. It's often something that Enterprise Vault administrators shy away from, meaning that there becomes a huge backlog to process when they do finally get around to doing it. On the other hand you can use our Archive Leavers tool to handle most of this process for you, and the cool thing is it's command line based (great for all us geeks out there!).
How do you process company leavers? Let me know in the comments below...