amset.info
from Sembee Ltd.
UK MS Exchange Consultants

Exchange - Net Admin - Outlook
Windows Mobile - Windows

Contact - Director's Blog

AddThis Social Bookmark Button

Exchange Server Home

Exchange Consultancy

Exchange Resources

Microsoft Exchange
Amazon Store

Basic Email Gateway Server

Company wide Contact List

Disabled User Account

Distribution Lists

DNS Configuration

Exchange and a
Dynamic IP Address

Event ID 1221

Filter Unknown Users

Global Mailbox Folder
Permissions from Server

Intelligent Message Filter

Internal Email Address
for External People

Mailbox and Management
Account

Message Tracking

Migrating to a new server

Multiple Domains

Offline Address Book Errors

Options when a Staff Member
Leaves

Outlook Web Access

PDAs, OMA and EAS

Permissions Best Practises

Post Install Configuration

Public Folders

Prerequisites for Exchange
System Tools

RPC over HTTPS

Secure your SMTP Relay

Shutdown Script

SMTP Services and Exchange

SMTP Diagnostics

Spam Cleanup

Switching From POP3
to SMTP Delivery

Telnet Test

Username Change

 Microsoft Exchange Server
Page Last Reviewed: 20/02/2009

Exchange Server
Compatibility Information
Exchange
Server Version
Compatibility		 5.5* No
2000 Yes
2003 Yes
2007 Yes
* May Adapt (More Information)
Options When a Staff Member Leaves
Author: Simon Butler, Exchange MVP, MCSE

Eventually a member of staff will leave, either to go to a new job, or because they have to leave for another reason. This then raises the question of what to do with their mailbox and handling the inbound email.

You have a number of options, which you can use all or a combination of.

Immediate Actions

  • As soon as the staff member leaves the company, you should reset the password and remove the user from any groups within the domain. The only group that the user needs to remain a member of is "Domain Users".
  • If the mailbox is staying enabled for time being, then it should be hidden from the global address list:
    Exchange 2000/2003: In ADUC, right click on the user and choose Properties. Then click on the tab "Exchange Advanced". Enable the option "Hide from Exchange Address lists".
    Exchange 2007: Open the properties of the user in Exchange Management Console. The option to hide the user is on the first tab "General".
    If you are using Outlook 2003 or higher in cached mode then the user will not disappear immediately. See this article for an explanation why.
  • If email was being automatically forwarded to another external email address, or to a handheld device such as a Blackberry, then this should also be disabled.
  • If there are likely to be other people accessing this mailbox and their access needs to be curtailed, at least for a short time, then the mailbox should be disabled and their rights removed. This will also hide the user from the global address list.

Disabling the User Account

It is not recommended to disable the user account, for a number of reasons.

The main reason is that Exchange caches permissions. Therefore if the account is disabled then enabled, it can be up to two hours before the account actually becomes accessible. Therefore you should simple hide the account, and change the password. That will stop most use of the account. If you enable the require password change as well, use of the account can be tracked.
You may also want to consider the use of a "No Access" group, which is used to block access to all shared resources specifically.

If you do decide to disable the account, on Exchange 2000/2003 disabling the mailbox can generate error messages in the event log (see here). Therefore you should make an adjustment to their account:

  1. Go in to the Mailbox Rights of the user account. You will find this in ADUC, Right click on the user account and choose Properties. Select the "Exchange Advanced" tab and then "Mailbox Rights".
  2. Listed in the users will be one called "Self", which should already have "Full Mailbox Access" rights. Enable "Associated External Account" as well.
  3. Apply/OK out.

Note: You can only have one "Associated External Account" per user, so if another account has already been given that setting, it will need to be removed and the "Self" setting granted the right.

Longer Term Actions

Once the dust has settled following the user's departure, you can think about what needs to be done with this user's email on a longer term basis.

There are two things to consider:

  1. Existing Email
  2. New Email

Existing Email

Existing Email is fairly straight forward to deal with.
Either archive the entire contents out to a pst file, or give a manager/replacement full mailbox access to the account and add it as an additional account to their existing Outlook.
If the ex-staff account was hidden from the address book, then you will need to unhide it before adding it to another user's Outlook. Once the connection is established you can hide it again.

New Email

You have a number of options with regards to new email messages. It depends on the needs of the business.
This only applies to external email. Internal email will not be sent because the staff should know that person has left, and they no longer appear in the address book.

  1. You could just have all new delivered to the mailbox as normal. A manager or colleague could then review the messages.
  2. Alternatively you could remove their primary SMTP address and add it to the account of their manager. Exchange will deliver all email to that account instead. This may require a dummy address being put on their existing account if there was only one SMTP address listed.
  3. You could also use the "Store and forward" option within the account to forward email to another person and optionally the message could also be delivered to their mailbox. (ADUC, User Properties, Exchange General, Delivery Options).
  4. You could remove the SMTP address and black hole it. This would mean that the email is never seen again. More details on black holes can be found here. If you are using Exchange 2003 or higher with recipient filtering then you could simply remove the address completely. This will generate an NDR to anyone who sends email to the user account.
  5. If the company is feeling particularly generous then you could have email sent to their old company address forwarded to a new personal address. Ensure that the account is not a member of any internal distribution lists so they don't get any internal email.

Related Articles

Changes to the Offline Address Book Not Being Seen
Email Blackholes
Disabled Account Event Log Errors

Last Page Update:
20/02/2009
More Content from Sembee Ltd.
 
Resources on amset.info Other Sites Sembee Ltd.
Microsoft Exchange Command Prompt Getting Started Guide Microsoft Exchange Consultancy
Microsoft Outlook Login Scripts Director's Blog
Network Administration MS Exchange Resources  
Internet Explorer Knowledge Base search  
Microsoft Windows Recovery of MS Office content from Temp Files  
Microsoft Windows Mobile Troubleshoot the Automatic Updates Client  
Amazon Store    

© Sembee Ltd. 1998 - 2010.

Reproduction of any content on this web site is prohibited without express written consent. Use of this web site is subject to our terms and conditions. All trademarks and registered trademarks are property of their respective owners. This site is not endorsed or recommended by any company or organisation mentioned on this site. This site is to provide guidance only and as such we cannot be held responsible for any consequences of following the advice given.