How long to keep people's AD/Exchange accounts
-
We have users in Exchange that are still active even though they have not worked here for years. I am told i cannot remove them. Any laws the company is breaking? We are US based company.
-
Most definitely violating security best practices. Always disable on termination, and then clean out yearly has been the way I've handled it in the past.
-
@kelly I should clarify my OP, the users are disabled but mail accounts are still active.
-
Well if the mail is still active, then they are still taking up a license.
That is going to get expensive. -
@momurda said in How long to keep people's AD/Exchange accounts:
@kelly I should clarify my OP, the users are disabled but mail accounts are still active.
Ah, good clarification. My approach with email was to export user's email to a pst, remove the account and add their address as an alias to their replacement or their boss. Eventually the boss would ask for it to be removed entirely.
However, I don't think there is any law that you're violating with email. It is expensive, but not terrible. As GDPR goes in to effect next month that might change if you have data containing PII from EU citizens.
-
Are you on O365 or is this on-premise?
If O365 I would put the accounts into Litigation hold, this is less costly than a full license and means nothing can be deleted.
Write up a policy on how long the business wants to retain these accounts and email and then delete them after the expiration date.
If On-Premise I would still write up a retention policy, and then delete them after the expiration date.
-
I know it is different for businesses than schools but we (school) keep them active for two weeks if they drop. Then export to PST and give them instructions on how to migrate that data into GMail and disable the email/user. Our email retention policy is 30 days. I delete them in ECP and it holds onto the email/user for 30 days and then purges.
-
I have a pretty standard process:
- Employee is terminated.
- AD account disabled.
- AD account moved to 'Disabled Users' OU.
- AD password changed.
- Membership for all groups removed.
- Mailbox converted to shared mailbox for any mailbox needing to be actively monitored (frees up a license).
- Email forwarding setup if needed in the interim.
- Mailbox archived to PST and stored on a file server when it is no longer actively monitored.
- Mailbox disabled (automatically purged after 30 days).
- AD account removed after 30 days.
-
Yes i have a process i want to follow too but cant.
3 years after people have not worked here, they still have an email and i think it is stupid AF. -
@momurda said in How long to keep people's AD/Exchange accounts:
Yes i have a process i want to follow too but cant.
3 years after people have not worked here, they still have an email and i think it is stupid AF.Indeed, it is stupid af. Easier to ask for forgiveness than to ask for permission.
-
@momurda said in How long to keep people's AD/Exchange accounts:
Yes i have a process i want to follow too but cant.
3 years after people have not worked here, they still have an email and i think it is stupid AF.- Sign up all the defunct addresses for catfacts, and then forward the account to their former boss
- Protest innocence
- ?????
- Profit
-
@kelly said in How long to keep people's AD/Exchange accounts:
@momurda said in How long to keep people's AD/Exchange accounts:
Yes i have a process i want to follow too but cant.
3 years after people have not worked here, they still have an email and i think it is stupid AF.- Sign up all the defunct addresses for catfacts, and then forward the account to their former boss
- Protest innocence
- ?????
- Save the Profits
FTFY
-
Just had to lookup what catfacts is.
-
@momurda said in How long to keep people's AD/Exchange accounts:
Just had to lookup what catfacts is.
-
@kelly said in How long to keep people's AD/Exchange accounts:
@momurda said in How long to keep people's AD/Exchange accounts:
Just had to lookup what catfacts is.
This could be the best thing ever!
-
As soon as the person leaves we backup account to PST and then archive it. THat's all then remove the AD account. No services should be tied to the account.
-
@kelly said in How long to keep people's AD/Exchange accounts:
@momurda said in How long to keep people's AD/Exchange accounts:
Just had to lookup what catfacts is.
Someone needs to make sendcatfax.com too!
-
@scottalanmiller said in How long to keep people's AD/Exchange accounts:
@kelly said in How long to keep people's AD/Exchange accounts:
@momurda said in How long to keep people's AD/Exchange accounts:
Just had to lookup what catfacts is.
Someone needs to make sendcatfax.com too!
Random, literally still faxing, cat pics to random numbers on a dialer.
-
@bbigford said in How long to keep people's AD/Exchange accounts:
@scottalanmiller said in How long to keep people's AD/Exchange accounts:
@kelly said in How long to keep people's AD/Exchange accounts:
@momurda said in How long to keep people's AD/Exchange accounts:
Just had to lookup what catfacts is.
Someone needs to make sendcatfax.com too!
Random, literally still faxing, cat pics to random numbers on a dialer.
Yup, would be awesome.
-
Depending on who or which department, I archive their entire O365 account (email, calendar, etc) into a PST file.
I've been doing this via:
Exchange Admin > compliance management > in-place eDiscovery & hold > Click the + button > follow the wizard.
Use IE or Edge.
You are able to download the entire account to a .PST archive it locally, to tape, or do what you want with it.