Solved

Windows 2003 Active Directory & Terminated Employees

Posted on 2010-11-20
14
645 Views
Last Modified: 2012-05-10
My Domain is WIndwos 2003 Enterprise.
My email is Exchange 2003 Enterprise.

When employees are terminated i can usually delete their AD credentials but typically their managers want access to their email boxes.  Is it possible to delete an Active Directory user ID, leave that users mailbox intact, and allow other users access to it?  If yes, how?
0
Comment
Question by:deklinm
  • 4
  • 3
  • 2
  • +3
14 Comments
 
LVL 9

Accepted Solution

by:
rfportilla earned 500 total points
ID: 34178865
Disable users.  Don't delete them.  If you delete them, you lose everything.  

I would first go into there account and give someone else access to their email, then disable the login.  I believe this should work.  If not, at least change the log in to something that only the administrator and supervisor have access to.  

Another option is to dump the email into a pst file and load it into Outlook for the supervisor to read.  However, I still would not delete the account.
0
 
LVL 9

Expert Comment

by:losip
ID: 34178884
I agree with the above comment.  However, if there is any question of the account or email content being required for forensic investigation, then use the pst export mechanism for emails so that there is no question of the content having been amended by their manager.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 34178896
A mailbox must have a user account associated with it and a user account can only be associated to one mailbox.

You can remove the user account and then re-connect the mailbox to a different account (as long as it doesn't have a mailbox already)

Alternatively what some of my customers do is copy the content if the mailbox in to a folder within the managers mailbox.

This is because PST files should not be stored on network drives and therefore lose their convenience if they are stored locally.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 34178904
If you don't delete the mailbox as has been suggested above then make sure you change or remove the email address otherwise it will continue to receive email after you have exported it.

There is no reason not to delete the account and I certainly don't leave any in-needed accounts on any of my customer servers.
0
 
LVL 15

Expert Comment

by:getzjd
ID: 34179697
We export to PST and provide it to whoever needs access to the email.   If the users old emails should be directed somewhere, we assign that email as an additional smtp address to the proper destination.
0
 
LVL 15

Expert Comment

by:getzjd
ID: 34179698
Fogot to add, we delete the account after the above steps.
0
 
LVL 12

Expert Comment

by:Dave
ID: 34182815
We have a VBSCRIPt file that :-

Disbales the account
Copies some info to the notes field such as group membership, and profile locations
Sets the Exchange permissions so no one can send to the account appart from service desk
removes the account from all groups
Moves the account to a "disabled" OU in Active directory.

This is porbably more than you need.....
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 1

Expert Comment

by:paulms53
ID: 34183457
q4ugm: can you post that script?

Also, never delete an account in AD, always disable.  You can always add a user's mailbox through Outlook in the advanced settings.
0
 
LVL 12

Expert Comment

by:Dave
ID: 34183664
I suppose so, but its been hacked around a lot. It needs amending at the start for the account thats allowed to send e-maisl to the user, and the OU where you move them to once its "disabled" though looking at the code it doesn't appear to actually disable the account, just set the password and hide it from the GAL...

If you want to disable the account add

objUserObj.AccountDisabled = True

just above the objuserobj.setinfo at line 155.

There are lots more examples on the net. I founds some
http://www.activedir.org/Articles/tabid/54/articleType/ArticleView/articleId/12/Default.aspx
There are also lots of info here:-

http://www.lissware.net/

Dave
G4UGM
 disableuser1.txt
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 34183723
>>Also, never delete an account in AD, always disable.

Why? There is no technical reason for not deleting a user.
0
 
LVL 12

Expert Comment

by:Dave
ID: 34183740

If you delete an account the SID is lost and can't be replaced. You can re-create an account with the same name but any permissions assigned directly to the account, rather than via group membership will be lost.

Disabling the account allows for quick recovery if its done by mistake (or because HR tell you the wrong user has left)...
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 34183760
Sure, that's down to policies and procedures and the notification period is dictated by that.

But if the process of deleting a user is the "norm" technically there is no reason not to do it.

I think we have deviated somewhat from the original question and could well be forcing our personal opinions on the author who already has a process in place.
0
 
LVL 1

Expert Comment

by:paulms53
ID: 34183780
demazter: you're right, i apologize
0
 
LVL 9

Expert Comment

by:rfportilla
ID: 34201140
I agree, Demazter.  I think most people agree that the best practice is to retain the user's exchange contents.  I see two thoughts here that are both acceptable:

1. don't delete the account, just disable it so that you can keep the exchange profile active and accessible.

2. export the exchange profile, then delete the account.

Either should work for the OP's needs and should be decided upon based on company policy.  

p.s. I typically do a hybrid, disable the account for 30-60 days and then delete it once I am sure the user is not coming back.  
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Auto Login Script 3 22
need help with active directory 4 27
SBS 2003 RWW Login 3 21
Populate department based on OU - Powershell 2 0
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
MS Outlook is a world-class email client application that is mainly used for e-communication globally.  In this article, we will discuss the basic idea about MS Outlook, its advanced features, and types of MS Outlook File formats.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now