How to limit an AD account - Misc questions - not sure how to ask this
I have a customer who needs to keep an AD User account active but remove all ability to have emails sent to this User, without deleting the mailbox or the User account, with the ability to undo what we did quickly.
Basically, a staff is on leave for an undetermined amount of time. In the meantime, I need to block all external access for the staff (easy to do by changing passwords and disabling remote acess) but also need to make sure any emails sent to the User are returned as invalid to the sender so they know to contact someone else, just as if they were terminated. We cannot delete the account or mailbox.
I have Disabled the User account but emails still route to the Inbox and the Out of Office reply is sent to the Sender. We do not want this as the Senders are not paying attention to the reply. I have considered removing the email address from the User's AD account but am not sure if this will put the mailbox in a disconnected state, at which time I will need to monitor and make sure Exchange does not delete it following retention policies, since it is disconnected. I am in the process of backing up the mailbox to a PST in case anything is lost but I am sure another method is available - I just don't know what that method is.
Thoughts?
Please advise on options native to Exchange and/ or AD to allow this, if possible.
Basically, a staff is on leave for an undetermined amount of time. In the meantime, I need to block all external access for the staff (easy to do by changing passwords and disabling remote acess) but also need to make sure any emails sent to the User are returned as invalid to the sender so they know to contact someone else, just as if they were terminated. We cannot delete the account or mailbox.
I have Disabled the User account but emails still route to the Inbox and the Out of Office reply is sent to the Sender. We do not want this as the Senders are not paying attention to the reply. I have considered removing the email address from the User's AD account but am not sure if this will put the mailbox in a disconnected state, at which time I will need to monitor and make sure Exchange does not delete it following retention policies, since it is disconnected. I am in the process of backing up the mailbox to a PST in case anything is lost but I am sure another method is available - I just don't know what that method is.
Thoughts?
Please advise on options native to Exchange and/ or AD to allow this, if possible.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You need to set the default e-mail address to something else. Then add the user's original e-mail address to the user you want to receive her messages. Optionally, create a distribution group (and turn off the out of office notification for the user) and assign the user's e-mail address to the distribution group and make sure the away user AND the person now responsible for that user's email are both members of the group - that will ensure that when the user returns, a copy of all messages received will be available. Or you can delegate access to that mailbox and then have someone else responsible for checking it and responding to messages from it. You'll have to adjust permissions on the mailbox to do this/share it.
ASKER
Good, very quick replies and info - thanks All.
I will review these options and see which one fits best. We will not forward email to someone else or have access to this box by someone else - we want it to replicate a non-existent account, but not actually terminate the staff or delete accounts.
@Amit: How do I change the email address stamp setting and what affect will that have globally?
@Will: This is kind of what I was thinking may be needed
@Lee: We do not want to grant access to this box to anyone else - that has been tried and is not working (the staff assigned are not keeping up with the emails so I was tasked with implementing another method to force Senders to reach out to someone else . They still say "We sent 'xx' the email!" and argue the point. With an 'Undeliverable' message to them we can at least say to the Senders, "You received a reply stating the address is invalid and the email was not delivered."
I was thinking to do as Will suggested, but before doing so, set the retention policy on deleted mailboxes to a year. Then remove the email address from the account, allow the mailbox to go into a disconnected state, and let it sit disconnected for up to one year. When they return I can reconnect the mailbox to the User. Aside from all disconnected mailboxes hanging around for a year, would this work? Would this cause issues with people replying to a previously sent email to this User, say a year down the road when it is reconnected to the re-enabled User account?
Thoughts?
I will review these options and see which one fits best. We will not forward email to someone else or have access to this box by someone else - we want it to replicate a non-existent account, but not actually terminate the staff or delete accounts.
@Amit: How do I change the email address stamp setting and what affect will that have globally?
@Will: This is kind of what I was thinking may be needed
@Lee: We do not want to grant access to this box to anyone else - that has been tried and is not working (the staff assigned are not keeping up with the emails so I was tasked with implementing another method to force Senders to reach out to someone else . They still say "We sent 'xx' the email!" and argue the point. With an 'Undeliverable' message to them we can at least say to the Senders, "You received a reply stating the address is invalid and the email was not delivered."
I was thinking to do as Will suggested, but before doing so, set the retention policy on deleted mailboxes to a year. Then remove the email address from the account, allow the mailbox to go into a disconnected state, and let it sit disconnected for up to one year. When they return I can reconnect the mailbox to the User. Aside from all disconnected mailboxes hanging around for a year, would this work? Would this cause issues with people replying to a previously sent email to this User, say a year down the road when it is reconnected to the re-enabled User account?
Thoughts?
I think there is one more solution which is very easy to implement, create a transport rule that if e-mail is coming to that e-mail address then send a rejection message from saying e-mail address is invalid and also redirect that mail to another test mailbox in case of keeping all records if user returned and ask to provide all previous e-mails.
Open user mailbox properties>Goto Email Address Tab>Below you will see one check box "Automatically update e-mail addresses based on recipient policy" uncheck it. Now edit current email address and change it to xyz.com domain>Click apply>Ok.
this is going to effect only this user. Nothing else.
this is going to effect only this user. Nothing else.
I gave you three options and you only acknowledged one.
Since I what I wrote may not have been clear, when I said:
You need to set the default e-mail address to something else. Then add the user's original e-mail address to the user you want to receive her messages. Optionally, create a distribution group (and turn off the out of office notification for the user) and assign the user's e-mail address to the distribution group and make sure the away user AND the person now responsible for that user's email are both members of the group - that will ensure that when the user returns, a copy of all messages received will be available.
I meant I would probably:
1. Create a Distribution Group in Exchange for "Users On Leave" - give it an email address like UOL@yourdomain.com - this address will never be used given out intentionally.
2. give the on leave user an ADDITIONAL e-mail address - awayfornow@yourdomain.com and set as primary. (You may have to un-check the box to automatically update the users email address).
3. REMOVE the user's normal email address.
4. ADD the on leave user's email address to the list of e-mail addresses that apply to "Users On Leave"
5. Add the user on leave AND the other mailbox(es)/user(s) to the members of the Distribution group who you want to receive the on leave user's email.
Since I what I wrote may not have been clear, when I said:
You need to set the default e-mail address to something else. Then add the user's original e-mail address to the user you want to receive her messages. Optionally, create a distribution group (and turn off the out of office notification for the user) and assign the user's e-mail address to the distribution group and make sure the away user AND the person now responsible for that user's email are both members of the group - that will ensure that when the user returns, a copy of all messages received will be available.
I meant I would probably:
1. Create a Distribution Group in Exchange for "Users On Leave" - give it an email address like UOL@yourdomain.com - this address will never be used given out intentionally.
2. give the on leave user an ADDITIONAL e-mail address - awayfornow@yourdomain.com and set as primary. (You may have to un-check the box to automatically update the users email address).
3. REMOVE the user's normal email address.
4. ADD the on leave user's email address to the list of e-mail addresses that apply to "Users On Leave"
5. Add the user on leave AND the other mailbox(es)/user(s) to the members of the Distribution group who you want to receive the on leave user's email.
I do this for departed users at several clients - when someone is fired or leaves, I don't just delete the account, I alter the e-mail config and assign that person's email to a "departed users" distribution group and those in charge or covering them get all that person's email.
Lee Changing email address is the easiest way. Lot of company don't allow to create DL for such small request.
ASKER
Thanks All!
@Amit: I appreciate the extra info. I thought that may be it but wanted to be sure.
@Amit Kumar Goyal: Thanks for the comment. I believe this is what Will was stating in the second half of his comment, and is an interesting idea.
@Lee: Thank you very much for the clarification. This definitely is a possibility moving forward and would probably work.
A few people mentioned the Transport Rule option, and that is probably the way to go. Will this affect the ability for people to reply to emails sent from this User's mailbox by selecting 'Reply' when the User returns? Or will it be fine and dandy? Seems like it should be fine.
@Amit: I appreciate the extra info. I thought that may be it but wanted to be sure.
@Amit Kumar Goyal: Thanks for the comment. I believe this is what Will was stating in the second half of his comment, and is an interesting idea.
@Lee: Thank you very much for the clarification. This definitely is a possibility moving forward and would probably work.
A few people mentioned the Transport Rule option, and that is probably the way to go. Will this affect the ability for people to reply to emails sent from this User's mailbox by selecting 'Reply' when the User returns? Or will it be fine and dandy? Seems like it should be fine.
Amit,
Look at the context of the question - if a company were big enough to have such a rule, they'd most likely have procedures and understanding to cover this already and the question wouldn't have been asked.
Look at the context of the question - if a company were big enough to have such a rule, they'd most likely have procedures and understanding to cover this already and the question wouldn't have been asked.
See as you are not changing anything on user's account so nothing will be changed, when user is back disable this transport rule and everything will be fine without any issue.
one more thing if you want to deliver all e-mails to user's account then get consent from reporting manger of user and reset the password then disable out of office. so at least sender will not get OOF notification.
one more thing if you want to deliver all e-mails to user's account then get consent from reporting manger of user and reset the password then disable out of office. so at least sender will not get OOF notification.
Transport rules take a small time to replicate things, you can apply transport rules mails coming from outside or org or inside of org. or all e-mails. you can just initiate force replication of AD it will be replicated instantly.
The transport rule will affect who ever you want it to affect. You can specifically only have external users get auto replys or you have configure both internal and external or even just to a specific user if you choose. This is entirely up to you.
And as for the changing the primary SMTP to something ambigious is not a good practice. The most appropriate method would be a transport rule, as i have originally stated, in my first post.
Will.
And as for the changing the primary SMTP to something ambigious is not a good practice. The most appropriate method would be a transport rule, as i have originally stated, in my first post.
Will.
ASKER
Thanks for the updates to my questions. I have meetings all afternoon and will check out the transport rule option first.
Again, I appreciate all of the helpful and quick responses.
Update to follow in a day or two.
Again, I appreciate all of the helpful and quick responses.
Update to follow in a day or two.
ASKER
Thanks to all of you. I went through all scenarios and chose the best option for this scenario.
Much appreciation to all of you!
Much appreciation to all of you!
Or
Just create another user, say test1 with a mailbox and merge the data of this user to new test1 mailbox and get rid of this one.