Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

leavers policy advice desperately needed.

Created: 17 Aug 2010 • Updated: 18 Sep 2010 | 5 comments
This issue has been solved. See solution.

Leavers Policy in EV 2007 SP3:

I've got to the point where I feel I'm trying to knit fog and not making any headway at all... 
I've read some articles on best practise and although beautifully written, they have exposed a ticklish issue for me.

The recommendation in various places is to add all leavers to a leavers AD group and use that group in the leavers policy within EV. Elsewhere the suggestion is to use custom attributes within those leavers contained in the leavers group in AD.
My little problem is that our AD folk have decided that they place all leavers in a 'disabled' pool that gets cleared down periodically, so in essence many of those leavers simply disappear from the system. 
The disabled pool also gets used for folk who are temporarily suspended for one reason or another. We use a lot of short term contractors, most of whom don't reappear, but those who do return are often given new unique user id's.

Appreciate a solution to this granny knot that often feels like it's turning into a Gordion knot.

Thanks for your attention.

Comments 5 CommentsJump to latest comment

EVNoodles's picture

Leavers Polcies can be tricky.

However it seems the AD folk might need to adjust their methods with a little consultation from yourselves.

As you have not stated how often these user's get cleared down or if the mailboxes are incldued in this procedure I would say that if you wish to retain all archived data from theses user's and their Mailboxes then the period at which these are cleared down would have to change.

Normally a Zero Day Archiving Policy is put in place without the Creation of Shortcuts (to improve the speed) etc and these user's are sought out through either a group \ ou \ ldap query etc or even through EVPM.

Hope that helps

If this reply has resolved your issue please mark this post as solved Thanks for your time EV Noodles

EV_Novice's picture

Hi EV Noodles,

appreciate your insight and advice.

I dd go down that track and received a response along the lines of I 'we don't want to / don't need to...change our ways, they work for everything else we do ! GO AWAY!'.

The disabled pool gets cleared out periodically, which could be every couple of months or even twice in the same month, depending on what projects are in progress. I can probably pick up each months worth of leavers and post them into the leavers policy, but I fear that at some point in the future, I'm going to max out the limit that is allowed in the policy(whatever that might be?), for the number of users in the list...

WiTSend's picture

You can create the steps necessary to automate the "leavers" group by either using the OU, or an LDAP query that covers a unique attribute for only the users that you are looking for and make that the definition for the Provisioning Group in EV.   There is not a concern over the number of users in that provisioning group since EV can handle extremely large groups.   One question, do you need to have a different PG for "leavers" to manage the data in the mailbox or just to remove the archives?

GertjanA's picture

Hello EV_Novice,
As Maxwits say, provisioning can be large (and, as the ou seems to be cleared out, would it really grow large?).
You write 'disabled pool'. Are accounts being disabled?

If so, you need to set a registry entry to archive from disabled accounts.

As for people returning, and getting a new id, if they require access to their old existing archive, you could set SynchInMigration mode key I think, or assign new account to old archive.

Also the remark of EV_Noodles (no shortcuts) is correct. If you upgrade to ev8 (sp4 or 5 when out) you get virtualvault, no need for shortcuts at all.

Thank you, Gertjan, MCSE, MCITP,MCTS, SCS, STS
Company: www.t2.nl

www.quadrotech-it.com

www.symantec.com/vision

SOLUTION
EV_Novice's picture

Dear all, thanks to you all for your suggestions and ideas. My knowledge of LDAP is next to useless, so I'll do some reading on that. Didn't know about the registry entry: will look into that, too.
I'll spend a little more time thinking about what you've advised and let you know which way I went !

I don't feel quite so lonely now :)

thanks again !