Options When a Staff Member Leaves
Eventually a member of staff will leave, either to go to a new job, or because they have to leave for another reason. This then raises the question of what to do with their mailbox and handling the inbound email.
You have a number of options, which you can use all or a combination of.
- As soon as the staff member leaves the company, you should reset the password and remove the user from any groups within the domain. The only group that the user needs to remain a member of is "Domain Users".
- If the mailbox is staying enabled for time being, then it should be hidden from the global address list:
Exchange 2000/2003: In ADUC, right click on the user and choose Properties. Then click on the tab "Exchange Advanced". Enable the option "Hide from Exchange Address lists".
Exchange 2007: Open the properties of the user in Exchange Management Console. The option to hide the user is on the first tab "General".
If you are using Outlook 2003 or higher in cached mode then the user will not disappear immediately. See this article for an explanation why.
- If email was being automatically forwarded to another external email address, or to a handheld device such as a Blackberry, then this should also be disabled.
- If there are likely to be other people accessing this mailbox and their access needs to be curtailed, at least for a short time, then the mailbox should be disabled and their rights removed. This will also hide the user from the global address list.
Disabling the User Account
It is not recommended to disable the user account, for a number of reasons.
The main reason is that Exchange caches permissions. Therefore if the account is disabled then enabled, it can be up to two hours before the account actually becomes accessible. Therefore you should simple hide the account, and change the password. That will stop most use of the account. If you enable the require password change as well, use of the account can be tracked.
You may also want to consider the use of a "No Access" group, which is used to block access to all shared resources specifically.
If you do decide to disable the account, on Exchange 2000/2003 disabling the mailbox can generate error messages in the event log (see here). Therefore you should make an adjustment to their account:
- Go in to the Mailbox Rights of the user account. You will find this in ADUC, Right click on the user account and choose Properties. Select the "Exchange Advanced" tab and then "Mailbox Rights".
- Listed in the users will be one called "Self", which should already have "Full Mailbox Access" rights. Enable "Associated External Account" as well.
- Apply/OK out.
Note: You can only have one "Associated External Account" per user, so if another account has already been given that setting, it will need to be removed and the "Self" setting granted the right.
Longer Term Actions
Once the dust has settled following the user's departure, you can think about what needs to be done with this user's email on a longer term basis.
There are two things to consider:
- Existing Email
- New Email
Existing Email is fairly straight forward to deal with.
Either archive the entire contents out to a pst file, or give a manager/replacement full mailbox access to the account and add it as an additional account to their existing Outlook.
If the ex-staff account was hidden from the address book, then you will need to unhide it before adding it to another user's Outlook. Once the connection is established you can hide it again.
You have a number of options with regards to new email messages. It depends on the needs of the business.
This only applies to external email. Internal email will not be sent because the staff should know that person has left, and they no longer appear in the address book.
- You could just have all new delivered to the mailbox as normal. A manager or colleague could then review the messages.
- Alternatively you could remove their primary SMTP address and add it to the account of their manager. Exchange will deliver all email to that account instead. This may require a dummy address being put on their existing account if there was only one SMTP address listed.
- You could also use the "Store and forward" option within the account to forward email to another person and optionally the message could also be delivered to their mailbox. (ADUC, User Properties, Exchange General, Delivery Options).
- You could remove the SMTP address and black hole it. This would mean that the email is never seen again. More details on black holes can be found here. If you are using Exchange 2003 or higher with recipient filtering then you could simply remove the address completely. This will generate an NDR to anyone who sends email to the user account.
- If the company is feeling particularly generous then you could have email sent to their old company address forwarded to a new personal address. Ensure that the account is not a member of any internal distribution lists so they don't get any internal email.