Build Your Own Exchange 2016 Test Lab
The best way to learn about any technology, and specifically Exchange Server, is to be as hands-on...
While handling employee separation is generally a process controlled or handled by human resources, IT has to get involved somehow to manage email, contacts, and other knowledge items stored within Exchange. Here are some suggestions on how to gracefully handle the technical side of employees transitioning out of your organization.
1. Redirect or ignore incoming mail. You need to direct incoming email to the departed employee somewhere besides that employee’s mailbox. Ideally, this redirection will only occur for four weeks or less as you work through the legitimate email the separated employee receives and make any necessary changes on the client, vendor, or outside party side so senders know that your separated employee no longer works for you. Several options include:
I would generally recommend hiding the departed employee in the Global Address List at this time.
2. Make a decision about the disposition of the data currently in the departed employee’s mailbox. I see a few options here:
If you can work with your HR department to get a bit of advance notice before an employee is separated, it is best to issue a remote wipe command to employee devices before the account is disabled in Active Directory. Even though the account is disabled, the ActiveSync connection is still open to Exchange, and until that connection times out, it doesn't have to reauthenticate, and the device will not know the account has been disabled. This means your employee could still send and receive messages through the mobile device even though his interactive login has been disabled. A wipe takes care of this problem, and blocking further ActiveSync partnerships will also prevent him from re-establishing a connection. It's recommended to allow 30 minutes to perform this wipe and disable ActiveSync access so all changes can percolate through the system.
4. Communicate deadlines. These solutions should work for limited periods of time. This is generally dependent on the type of business you do, the types and seasons of communications the departed employee regularly handled with outside contacts and any regulatory compliance mandates you may face as a result of your industry.
In almost all cases, it is rarely advisable to leave an employee’s mailbox active for longer than 12 months. I personally recommend archiving a separated employee’s mailbox after 90 days. Unless there is pending litigation, that mail and its contents should be archived to an enterprise data vault, stored somewhere, and the mailbox disabled. The lifecycle of any mail aliases is less critical, but in the absence of a great method of keeping track of these aliases, I would recommend setting up a 90-day timeline for using these aliases. Unless there is a clear business need at the end of 90 days, aliases relating to the departed employee should be removed.
TIP: For those with integrated Enterprise Voice with their Exchange deployments: Do not forget phone extensions and direct inward dial (DID) numbers. These should be either disconnected with a proper message or redirected to another employee who can handle the inbound calls and voice messages.