Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.

De-Provisioning Group

Created: 08 Nov 2010 • Updated: 24 May 2011 | 6 comments
Korbyn's picture
6 Agree
0 Disagree
+6 6 Votes
Login to vote
Status: In Review

It would be excellent to see a clean, automated and easy to manage De-Provisioning process.  Perhaps one where users are added to a group, much like the Provisioning process, and have parameters around for disabling them in EV, Archive Everything, Vault Mailbox Retention (14, 30, 60, 90 days or whatever), and I'm sure there are a number of other items which could be added.  Larger organizations (5,000+) often have a complex process for removing accounts and mailboxes, and EV currently has no automated process for cleanup whether the EV archive mailbox is properely disabled before the user account/ exchange mailbox gets deleted, let alone after.

Comments 6 CommentsJump to latest comment

MichelZ's picture

Hi

You can do many things with the standard provisioning group.

Just create a leavers group with highest priority, where you put your leavers in, and set it to archive after 0 days. This will take care of archiving everything in the Mailbox.

As for deletion, you could use the API to delete the Archive with a custom program, I think. (As well as disable it before the mailbox gets deleted)    A little bit customizing should be possible in 5000+ Organizations, I think?

EV does have an automated process, which is based on retention of the archived items, and it will delete them once the retention period is over. All that is left would be the Name of the Archive in the Archive List ;)

Cheers

Michel

0
Login to vote
Korbyn's picture

I've been using an archive all policy long before it was ever posted, but that's not automation.

What a number of clients have, and want to see in EV, when they Delete and AD account, Exchange sends the associated user mailbox off into Limbo for 30 days, or 90 days in this one customers case, and it disappears.

EV has no such mechanism for dealing with Vaults of Deleted AD/Exchange objects, it just throws errors in the event log and in the provisioing report, and you then have to go an manually remove entries from the ExchangeMailbox Entry table.  With 100,000+ users/mailboxes, you can perhaps see that this would become quiet unmanageable and like stearing the Titanic with a paddle in changing a service desk procedure.

Some client will want to archive everything and keep for ever, many others want the data gone within 30,60,90 days as per their corporate policy, and EV Admins do not want to be putting reminders in their calendar to purge someone's Vault 90 days from now...

0
Login to vote
MichelZ's picture

That's what I mean... you *can* automate that yourself with the help of the API.

That's just how it is...  I don't think EV will ever have a functionality to automatically delete user archives. What if there is an error in provisioning, and EV *thinks* an Exchange mailbox was deleted, and then deletes the EV data? There is just too much room for errors, I believe.

Maybe someone from the EV Team can elaborate further on this... It can be a nice addition, if they manage to do it flawless.

 

As for your service desk procedures... I really think this currently belongs into such a procedure.

-> User leaves company.

-> User gets disabled

-> Fully Archive Mailbox (change provisioning group)

(You need the registry key to archive disabled users/mailboxes)

-> Wait x days

-> Disable mailbox for archiving

-> Delete Mailbox

 

Cheers

0
Login to vote
Korbyn's picture

Using the API would imply that I'm some kind of programmer, I definately am not.

There are queries that can be used to determin that the account and mailbox have been deleted, and in the event that it was done in error that is why I would want the policy so that Vaults can be retained x number of days after the system detects that the account and mailbox no long exist.  It's what we do in exchange, if the account is deleted, you have  30 days to create a new account and reconnect the "disabled" mailbox before it's purged from the system.

This is why I'm posting this in the IDEA's area, in hopes that the EV Team can develop this into the product, in essesence, Life Cycle Management.  EV starts well, but ends very messy.  I 100% guarentee that with over 100 people having the ability to create/manged/delete accounts, no matter how well they're trained, someone is still going to have to clean up the SQL database, and NO ONE is going to want to remember to clean out Vaults 30 or 90 days from now...  If you have 1000 users per month turn over, would you want to manage that purge...

0
Login to vote
Korbyn's picture

Perhaps even a Registry setting that would at least have EV automatically disable a Vault if the user is no longer a part of a provisioning group.  And modify the Disable mailbox msg to say that if this is in error, contact the helpdesk, and perhaps even add a BCC to to the msg so a group or person is notified of a disabling.

0
Login to vote
MichelZ's picture

Our FREE "Archive Leavers" tool does that now.

0
Login to vote