Video Screencast Help

EV enabled mailbox, but account disabled, doesn't get new Povisioning group

Created: 01 Oct 2013 | 8 comments

We have employees that used EV for archiving and have been assigned an PG.

If the user doesn't work for the company anymore the following things are done with the useraccount:

- moved to the Ex-employee OU that assigns an ex-employee PG

- Account disabled

- Hidden van GAL

After the provisioning task has ben run, the report states that the maikbox has updated but the mailbox\policy assignment overview doesn't show the changed policy.

How can i change the PG for disabled useraccounts that already where enabled?

 

Operating Systems:

Comments 8 CommentsJump to latest comment

RahulG's picture

refer http://www.symantec.com/business/support/index?page=content&id=TECH76587

You need to Rank the Provisioning group Properly.

The users are provisioned according to the rank of the provisioning group . If the user exist in two polocies the one with higher rak would get applier i.e Rank1 is the highest.

Marcel van Klaveren's picture

Already found this article, but these manual steps are a no go for a company with 4000 users.

It all has to go automated :-(

EV_Ajay's picture

Hi Marcel,

Follow the below sequence ....

1. Move the User to Ex employee OU that is targeted for 1st provisioning group.

2. Restart the provisioning Task.

3. Run the Provisioning the Task in Normal Mode.

4. Check the Provision Task report and search for that User and check for his policy in the report.

5. If you want to archive his mailbox then do not Disable the User account / hide his mailbox until his whole mailbox is archived.

6. Once whole mailbox is archived then Disable that User from EV server for archiving.

7. Then Disable the User mailbox from Exchange.

8. Then Disable his AD Account.

 

Thanks,

Ajay

Marcel van Klaveren's picture

Hi Ajay,

The company policy states that the account must be disabled directly after the employee has left the building. And that the user is hidden from the GAL. These tasks and movement to the Ex-employee is done by our indentity manager. Everything is automated because we have 4000 users, and a lot of ex-emplyees ;-))

The provisioning task reports that the ex-employee has been provisioned with the new PG, but after manual intervention is needed. This all should go automatically...

Is it possible to use the account expire option instead of disable useraccount??? Shall it work then?

 

GabeV's picture

Hi,

Did you add the following registry keys:

ExcludeDisabledADAccounts

ProcessHiddenMailboxes

http://www.symantec.com/docs/TECH76587

http://www.symantec.com/docs/TECH47252

When you look at the provisioning report, what is the status on that mailbox?

“Success is not final, failure is not fatal: it is the courage to continue that counts.”–Winston Churchill

Marcel van Klaveren's picture

The provision report says that a new mailbox has been added to the PG ex-employee.

Yes I added this keys but, the user will be "hidden" in the EV console, and will not be activated automatically