Dean Suzuki Blg Title: Hw D Yu Handle Exchange Mailbxes fr Emplyees Wh Are N Lnger With the Cmpany Created: 1/21/2013 Descriptin: I asked by ne f my custmers, hw d yu handle mailbxes fr emplyees wh are n lnger with the cmpany. Specifically, they wanted t: Disable the access fr that user (call them UserA), Send an aut-reply t the sender infrming them that the user is n lnger with the cmpany Frward the message t their supervisr (call them SupA) In this pst, I dcument my research, testing, and suggestins n hw t handle this scenari. References: Disclaimer: Cntents f this blg and article represent the pinins f Dean Suzuki, and d nt reflect the views f my emplyer. (C) 2012 Dean Suzuki, All Rights Reserved Prcedure: Table f Cntents Table f Cntents 1 Strategy... 2 2 Scenari #1: Keeping the User s Mailbx On The Exchange Server... 2 2.1 Frwarding the User s Mail t their Supervisr... 3 3 Scenari #2: Remving the User s Exchange Mailbx... 4 4 Appendix A: Test Scenari... 5
1 Strategy Based upn my research and my wn pndering, I came up with the fllwing strategy and steps n hw t handle Exchange mailbxes fr users wh are n lnger with the cmpany. The first decisin is whether yu want t keep the user s Exchange mailbx wh have left the cmpany n the Exchange server r nt. Sme cmpanies may want t keep the user s mailbx n the server t search back int fr business purpses (cntinuity f custmer cmmunicatins, etc.). 2 Scenari #1: Keeping the User s Mailbx On The Exchange Server If yu keep the Exchange mailbx n the Exchange server, then the fllwing steps culd be fllwed. Disable the user Active Directry (AD) accunt. This will prevent the user frm lgging int their accunt. Nte n the user s AD accunt descriptin that the user is n lnger with the cmpany and infrm the HelpDesk f this prcedure. This is t alert the Help Desk that this user is n lnger with the cmpany s if they get a call asking t re-enable the accunt then they are aware f a ptential security breach. Change the user s AD accunt passwrd. In my testing, I nticed that Exchange takes sme time (abut 10-15 minutes in my testing) t recgnize that the accunt has been disabled. In that windw, I was able t lg int OWA even thugh the accunt was disabled. T prevent access during this windw, change the user s accunt passwrd. Hide their accunt frm Glbal Address List (GAL). This will prevent peple frm seeing that user s in the Glbal Address List. T hide the user in the Glbal Address Bk, pen the Exchange Management Cnsle. G t the Recipients tab, pen the user s mailbx. On the General tab, check the bx Hide frm Exchange address list. If yu want t be able t lk thrugh the persn s mail fr prir infrmatin, then yu culd grant smene access t that user s mailbx. T allw this access, right click n the disabled emplyee and then click n Prperties. G t the Exchange Advaced Tab and then click n the Mailbx Rights buttn. Add yur accunt in here with the Full Mailbx Access & Assciated External Accunt permissins
2.1 Frwarding the User s Mail t their Supervisr I utlined the fllwing steps t frward the user s mail t their supervisr. These steps were develped using Exchange 2007 (per custmer request). Launch Exchange Management Cnsle G t the Recipient Cnfiguratin cntainer G t the user s mailbx Duble-click it t pen the prperties page. G t the Mail Flw settings tab. Duble-click Delivery Optins. Nte, n the Delivery Optins page, I can specify t frward this message t anther mailbx. In the abve picture, I set it up t frward the user s mailbx t their supervisr (tsup1, my test
supervisr). In this case, any messages sent t this user will be frwarded t the mailbx indicated. The user wh left the cmpany s mailbx wn t cntain the new message. If we check the bx Deliver messages t bth frwarding address and mailbx then bth the user wh left the cmpany and their supervisr s mailbx will cntain the message. Once the mail has been frwarded t their supervisr, the supervisr receives the mail and it is addressed t the riginal user. S, the supervisr can create a rule t mve the mail t a specific flder and/r reply t that message with a message stating that the emplyee is n lnger wrking fr the cmpany. 3 Scenari #2: Remving the User s Exchange Mailbx If yur prcedure is t remve the user s Exchange mailbx, then the fllwing steps culd be fllwed: Exprt the user s mailbx t a pst file. This step is ptinal and is used by sme cmpanies t keep a cpy f that user s mailbx. Delete the user s mailbx. If yu want the supervisr t get any future e-mail addressed t the user wh is n lnger with the cmpany, then yu can add the terminated persn s prxy address t the supervisr s accunt. Open Exchange Management Cnsle G t the Recipient Cntainer and pen the Supervisr s mailbx wh yu want t get any future e-mail that is sent addressed t the user wh is n lnger with the cmpany. G t the E-mail addresses tab, press Add and enter the SMTP address f the user wh left the cmpany. In my example, I used tuser7@irvlab.mtcdems.net t simulate the user wh left the cmpany.
By perfrming these steps, any future e-mail address t the user wh is n lnger with the cmpany will g int the supervisr s inbx. After testing this methd, I nticed that the message appears in the Supervisr s inbx as addressed t them since they have bth addresses n the prxy tab. S, Outlk is nt able t distinguish the supervisr s mail frm the user wh left the cmpany. S, I wasn t able t create an aut-reply Outlk rule that was specifically targeted at the user wh left the cmpany. Anther ptin wuld be t create a new mailbx t handle any user r a subset f users wh have left the cmpany and add the SMTP address f the users wh are n lnger here t the list f prxy addresses. This mailbx culd have an aut-respnder rule that replies that the user is n lnger with the cmpany. Then, the supervisr will need t be granted access t that mailbx. The supervisr culd pen that mailbx and review any messages sent and handle them accrdingly. This hybrid apprach culd be implemented by department s that ptentially each department had a persn that mnitred the mailbx fr peple wh have left the cmpany and get new e-mail. 4 Appendix A: Test Scenari I setup a lab t test ut these scenaris. I created the fllwing mailbxes. User (test-user-gne): Simulates the user wh is n lnger with the cmpany User (test-user-emplyee): Simulates anther user in the cmpany Supervisr (test-user-supervisr): Simulates the supervisr f test-user-gne wh shuld receive any future e-mail sent t them. External user (test-user-external): Simulates an external user wh is trying t e-mail test-usergne (the user wh is n lnger with the cmpany).
Test Test Descriptin Case # 1 Send email frm user t user (test-user-external t test-user-gne) 2 Disable AD accunt fr test-user-gne Send e-mail frm test-user-external t testuser-gne 3 Repeat test 2 except enable an Out f the Office (OOF) message fr test-user-gne saying that they are n lnger with the cmpany. Test Results Can send e-mail back and frth Can t lgin t test-user-gne OWA when accunt is disabled. Email frm test-user-external received int test-user-gne mailbx even thugh AD accunt is disabled. I had t enable the test-user-gne s accunt t set the OOF and then disable it. Even thugh the AD accunt was disabled, the OOF message was still sent t the persn wh sent the e-mail. I was still able t lgin t test-user-gne OWA even thugh the accunt has been disabled. It appears that there is a lag between when the AD accunt is disabled and Exchange recgnizes this change and prevents the user frm lgging int OWA. After abut 15 minutes, I wasn t able t lg int OWA. 4 Set frwarding addresses n test-user-gne user t test-user-supervisr. Send message frm test-user-external t test-user-gne. I recmmend t change the passwrd t prevent user frm lgging in. I wasn t able t lgin t OWA. I guess it takes a cuple minutes befre exchange recgnizes that the accunt has AD been disabled Test-user-supervisr gt the frwarded message. Test-user-gne didn t get any message frm test-user-external. Test-user-external didn t get an OOF message. I am thinking that users will nly get 1 OOF message per a certain interval s it wuld be mre cnsistent t use a Outlk rule t always aut-respnd t e-mail versus using the Out f the Office 5 Set frwarding address n test-user-gne user and als send message t bth riginal mailbx and frwarded mailbx. Send I still wasn t able t lgin t test-user-gne.
message frm test-user-external t testuser-gne 6 Setup a rule n test-user-supervisr t reply t messages sent t test-user-gne with a message 7 Nticed that test-user-gne was still shwing up in the address list. Hid testuser-gne frm the address list. 8 On test-user-supervisr, add a prxy address t the mailbx fr tuser7@irvlab.mtcdems.net This is t simulate that tuser7 was a user wh left the cmpany and we deleted their mailbx. Nw, I am giving that SMTP address t test-user-supervisr Send message frm test-user-external t tuser7@irvlab.mtcdems.net 9 Create a rule that puts mail addressed t tuser7@irvlab.mtcdems.net int a specific flder. Send a message frm test-user-external t test-user-supervisr Send a message frm test-user-external t tuser7 Test-user-supervisr gt the frwarded message. The t was addressed t test-usergne Test-user-external didn t get an OOF message Test-user-supervisr gt the message. I had t setup a frward t test-user-emplyee since I can t setup a reply in OWA interface. Testuser-emplyee gt the message. Test-user-supervisr gt the message. Testuser-emplyee gt the message. Nticed that test-user-gne was remved frm the address list. Test-user-supervisr receives the message but it appears t be addressed t test-usersupervisr. Next test case, I ll create a rule fr that specific smtp address Bth messages went int the flder. Meaning that OWA wasn t able t distinguish in its rules tuser7 versus test-user-supervisr since bth prxy addresses are n that user s accunt. Prblematic. T slve this issue, will need t create a mailbx specifically fr peple wh have left the cmpany and allw the supervisr external access t it.