Tips for Elegantly Departing Employees’ Mailboxes

While handling employee separation is generally a process controlled or handled by human resources, IT has to get involved somehow to manage email, contacts, and other knowledge items stored within Exchange. Here are some suggestions on how to gracefully handle the technical side of employees transitioning out of your organization.

1. Redirect or ignore incoming mail. You need to direct incoming email to the departed employee somewhere besides that employee’s mailbox. Ideally, this redirection will only occur for four weeks or less as you work through the legitimate email the separated employee receives and make any necessary changes on the client, vendor, or outside party side so senders know that your separated employee no longer works for you. Several options include:

• Add a new email alias to the departed employees’ mailbox and then add the old -mail address to either the employee’s direct supervisor or closest colleague and allow that person to manage the incoming email flow. This lets team members “closest to the action” continue to manage relevant relationships without having to rely on other departments.

• Add a new email alias to the departed employee’s mailbox and then add the old email address to a new catch-all mailbox for your company that receives mail for all departed employees. Someone can then regularly work through the incoming mail and redirect it manually where it needs to go, unsubscribe from commercial email, and block the rest. This allows IT to keep control of email not destined for any current employee, but it does have the downside of requiring someone to manage the incoming email to ensure critical messages receive a timely response.

• Keep all email aliases the same, and add an autoresponder to the departed employee’s mailbox with standard language about who the appropriate contact in your organization is from that point forward. You would then presumably need to decide whether you cared about incoming mail for that user or not. If you didn’t, then you would just ignore incoming messages. If you did, then you would need to follow the workflow to step 2a covered in the next section. Alternatively, you could make Exchange forward all email a la steps 1a or 1b via the Delivery Options tab and then choose whether or not to retain a copy in the original mailbox.

• Create a distribution list. For example, if Bob Jones leaves, then you create a distribution list called Z-Bob Jones Forwards, add the old user’s email alias to that distribution list’s address list, and then add as members of the group anyone who needs access to Bob’s incoming mail. (The Z is so you can sort easily.) This way you can add and drop incoming mail recipients and you have a visual way of seeing which old email addresses are still around.

• Ignore all incoming mail. If you don’t care about alerting external contacts about a staffing change and you don’t care about incoming mail, then simply set the mailbox to only accept messages from that user and then deactivate that user within Active Directory. This results in everyone getting an error when attempting to mail that user, which is a decent but not graceful mechanism for letting people know they need to alter their communications. To perform this, use the Message Delivery Restrictions feature in the user’s Exchange properties and then choose the “Only senders in the following list” option and add that user to the list.

I would generally recommend hiding the departed employee in the Global Address List at this time.

2. Make a decision about the disposition of the data currently in the departed employee’s mailbox. I see a few options here: 

• Add rights to that mailbox to designated employees that remain with your company. I dislike this solution in most cases because of the potential for privacy violations; many employees have sensitive personal information in their mailboxes, and allowing other employees full rights to potentially sift through that information is distasteful to me, even though a corporate acceptable use policy may allow such permissions. 

• Immediately export the contents of the mailbox to a PST, and preserve it according to your organization’s adopted retention policy. This gets the mailbox out of your active mail store while preserving data that might be needed later.

• Trust your current archiving and journaling system, and simply delete the mailbox. If the data has already been journaled out to vault, there is no point in maintaining an active copy of it and taking up resources on your Exchange deployment. I prefer this option because it leverages your existing investment, is cleaner from a management perspective, and mitigates the risk of privacy violations from any old user traipsing around in someone else’s personal messages and appointments.

If you can work with your HR department to get a bit of advance notice before an employee is separated, it is best to issue a remote wipe command to employee devices before the account is disabled in Active Directory. Even though the account is disabled, the ActiveSync connection is still open to Exchange, and until that connection times out, it doesn't have to reauthenticate, and the device will not know the account has been disabled. This means your employee could still send and receive messages through the mobile device even though his interactive login has been disabled. A wipe takes care of this problem, and blocking further ActiveSync partnerships will also prevent him from re-establishing a connection. It's recommended to allow 30 minutes to perform this wipe and disable ActiveSync access so all changes can percolate through the system.

4. Communicate deadlines. These solutions should work for limited periods of time. This is generally dependent on the type of business you do, the types and seasons of communications the departed employee regularly handled with outside contacts and any regulatory compliance mandates you may face as a result of your industry. 

In almost all cases, it is rarely advisable to leave an employee’s mailbox active for longer than 12 months. I personally recommend archiving a separated employee’s mailbox after 90 days. Unless there is pending litigation, that mail and its contents should be archived to an enterprise data vault, stored somewhere, and the mailbox disabled. The lifecycle of any mail aliases is less critical, but in the absence of a great method of keeping track of these aliases, I would recommend setting up a 90-day timeline for using these aliases. Unless there is a clear business need at the end of 90 days, aliases relating to the departed employee should be removed.

TIP: For those with integrated Enterprise Voice with their Exchange deployments: Do not forget phone extensions and direct inward dial (DID) numbers. These should be either disconnected with a proper message or redirected to another employee who can handle the inbound calls and voice messages.