Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Continue archiving a disabled Exchange mailbox

Created: 01 Feb 2013 • Updated: 05 Feb 2013 | 12 comments
Francis-T's picture
This issue has been solved. See solution.

Hi,

 

Spent most of the day reading through the multiple discussions around Leavers processes.

Still having an issue with how I would like to deal with Leavers accounts.

 

If all my users are EV enabled and being successfully archived by EV, when it comes to them leaving and having their accounts disabled, I want to be able to disable their AD user account (ExcludeDisabledADAccounts is set to 0 & ProcessHiddenMailboxes is set to 1), and also disable their Exchange 2007 mailbox so that it will automatically be deleted after x amount of days

At the same time, their AD account gets moved into a new Provisioning Group that archives all the current mailbox content.

So EV would need to continue archiving the disabled mailbox in order for the new policy to strip out all the existing content in the mailbox. If that makes sense?

Have been testing with a few accounts, and it seems that when the Exchange mailbox is disabled, EV stops archiving it?

Have confirmed the new provisioning group works, by testing with another account that was disabled in AD, but their Exchange mailbox left alone, all content was successfully archived.

Is there something extra i need to do to get EV to archive disabled mailboxes, or can it not do that?

Thanks,

Francis

Comments 12 CommentsJump to latest comment

plaudone's picture

The registry keys you have in place should allow EV to archive the disabled MB.   A Dtrace of ArchiveTask when performing a Run Now against that mailbox should give information as to why it is not being processed.

 

 

Francis-T's picture

Grand, wasn't sure if I was misreading what those reg keys should do and needed somethign else.

I've got a few test accounts setup in different states now.
I'm going to let archiving and synchronising run on schedule over the weekend, along with the weekends full backup, to see what state the test accounts are in on Monday.

Will get a DTrace of any accounts that have issues on Monday and get back to you.

Thanks

MMcCr's picture

I may be wrong so please dont shoot me ;-) however I understand 'Disabling a Mailbox in Exch 2007' to be the same as disconnecting a mailbox from an AD account as in Exch2003. It effectivly removes all exchange attributes.

I personally wouldnt have expected EV to be able to access this, as I dont think it would have done if the mailbox was in Exch2003.

I thought the 'ExcludeDisabledADAccounts' actually refers to the associated AD login account being disabled.

Again, maybe I am wrong but thats the way I see it.

SOLUTION
Francis-T's picture

Yep, disabling the mailbox in 2007 disconnects it from the AD account.
It would make sense that EV then cannot archive it as i would assume it doesn't make the connection between the AD account security groups, and their associated EV policies, to be able to apply a 'Leavers' policy?

Then again, surely all staff leaver processes will involve disabling a mailbox to ensure the mailbox is effectively closed?

Have confirmed my tests accounts with disabled mailboxes did not archive over the weekend, sorting a DTrace and manual archiving run against one of them now.

Starting to sound like the leavers process needs to be seperate steps, disable the user account initally, but leave the mailbox alone for a few days to allow the new Leavers policy to apply, then archive over a few nights, before eventually disabling the mailbox?

Not really what I wanted as it introduces the potential for mailboxes to be missed.

GertjanA's picture

Hello Francis,

The nasty thing of Exchange 2007 is that if you disable the mailbox, exchange considers this a 'remove this mailbox'. The only 'safe' way is to what you describe. disable the user accounts, allow sufficient time to archive the mailbox.

There is a nice 3rd party tool, which could assist you if you have many leavers. (ie several every week.)

It is called ArchiveLeavers. Read more here: http://www.quadrotech-it.com/products/evtools/free/archive-leavers/

It might be helpfull.

Thank you, Gertjan, MCSE, MCITP,MCTS, SCS, STS
Company: www.t2.nl

www.quadrotech-it.com

www.symantec.com/vision

MMcCr's picture

example proccess for smaller numbers would be:

- move into a Leavers OU

- disable AD, hide mailbox, remove from DL's etc

- empty with EV

- use Exch & EV reporting to know when theyre empty.

- disable/tombstone mailbx

- run weekly reports against the OU.

 

 

rakcms's picture

Create new ou in AD like Xemployee
once user left organization, move user to Xemployee ou
In EV set 0 days archive policy for xemployee ou.
after one day dissable user from AD.

Francis-T's picture

I did indeed Rob, and very useful it was.
It's just that there wasn't any direct reference to disabling an Exchange mailbox and where it stands in regards to EV archiving (I don't think there was anyways last time I read it?).

As I understand it now, there are 2 options, to use QuadroTech's EV Leaver utility and have a process to disable the accounts, archive everything using the utility, then disable the mailbox, etc. Can be done in one hit so to speak

Or with EV's native functionality, disable the AD account, hide it from the GAL and move it into a Leavers OU or security group, then with those 2 reg keys enabled, allow EV to archive off the rest of the mailbox content on the site schedule. Then when the mailbox is empty, disable/disconnect it in Exchange.

At the minute I'm going with the native EV functionality. Will look at the QuadroTech utility later.

Thanks very much for the info

Rob.Wilcox's picture

'Disabled mailbox' is a bit of an iffy term in my opinion.  What does it mean?  What is the intention?

 

If you disable an AD account then the person who is leaving won't be able to access the mailbox.  Delegates still can, and maybe they should be able to?

 

Another option would be to disable the AD account, and then set the send/receive limits to 0.  That way users, and delegates can access the mailbox but can't make any changes.

 

By the way the 'premium' version of the Archive Leavers has the ability to disable the AD account also (and it can convert the archive of the mailbox into a Shared Archive, making it nice and easy to hand-over the archive to a delegate or HR or legal or someone else.

Francis-T's picture

Exchange 2007, you right click a mailbox and have 2 options, Remove or Disable.

'Remove' gets rid of the mailbox and the associated AD account.

'Disable' disconnects (like in 2003) the mailbox from the AD account and leaves it under Disconnected mailboxes until it is eventually removed (30 days by default I believe).

If you just disable the AD account, the mailbox and it's email address(es) are still technically active. If you send an email to it, it will be accepted. If the user has server side rules to auto-forward, etc, they will still be processed and forwarded, so ideally, the mailbox should be disabled for a leaver in my opinion. Everyone's requirements vary though, so some may have no issue leaving a mailbox enabled