A truly effective IdM system should be able to tidy up user data as part of the user-decommissioning process. This might include zipping up home folders and, in the case of email, archiving mailboxes to something like a PST file.
My old method of archiving mailboxes with Exmerge when disabling Exchange users won’t work with Exchange 2007 so it’s time for an update.
Exmerge is no longer supported with Exchange 2007 and we are now supposed to use the export-mailbox cmdlet. When using it to export to a PST file the requirements are a little special:
- It will only work on 32-bit Windows, so you can’t use your Exchange 2007 servers. You will have to install the 32-bit version of the Exchange management tools onto a 32-bit server.
- The server must have Outlook 2003 or above installed.
But once you’ve sorted all that out, the cmdlet itself seems to work very well.
The truly great thing about it is that it works on disabled accounts! Part of the mucking about I did before with my Exmerge method was to try and get the mailboxes exported before allowing ILM to disable the user accounts. But now you can separate this archiving activity entirely from your ILM server. Just run a scheduled task somewhere else that looks for disabled mailusers that don’t yet have an archive flag set. Maybe you could then check the archive flag before you allow ILM to completely delete the account.
Now I haven’t yet sufficiently got the hang of powershell to do the whole thing that way. So I’m sort of cheating by doing all the AD lookup stuff in vbscript, populating a CSV file with a to-do list, and then feeding that to a short powershell script.
First, the powershell script
import-csv list.csv | foreach {Add-MailboxPermission -Identity $_.DN -User 'domainscript_account' -AccessRights 'FullAccess'}
import-csv list.csv | foreach {Export-Mailbox -Identity $_.DN -PSTFolderPath C:Archived_Mailboxes -Confirm:$false} | out-file -filepath "C:scriptsarchive_mailboxps1output.txt" -encoding "ASCII"
The first line gives full mailbox access to whichever account is running the script.
The second line does the actual export and puts the PST files into the folder C:Archived_Mailboxes. I have redirected the output to a text file so I can check it for status later.
The script expects a very simple file, just listing the user DNs under the heading “DN”.
DN
"CN=p.smith,OU=Staff,DC=myorg,DC=com"
"CN=f.bloggs,OU=Staff,DC=myorg,DC=com"
Next, the VBScript
Actually it’s far too long to put in this post so I’ve put the whole thing here.
But in summary what I’m doing is
- Finding all the users of interest in AD and then listing them in a CSV file.
- Calling the powershell script.
- Doing one of those annoying wait loops to stop vbscript ploughing straight ahead without giving the powershell script a chance to finish its job.
- Finally, checking the output file from powershell to confirm if the mailboxes were exported. If they were, the script updates the user’s archive flag.
If you don’t like the wait loop you might be able to schedule another script to run later and look for success messages from “Exchange Migration” in the Application Event Log, and update the user’s archive flag accordingly.
Troubleshooting
If you get an “Unknown error” (helpful that one) then check which account you were using to run the powershell script. It has to be the same one that you’re granting the full mailbox access.
Any chance you can provide a link to download the vbs file directly? I keep getting ‘invalid character’ errors, I think there are some unicode chars I can’t see in there when I try just cutting & pasting..
It’s most likely the quotes – WordPress insists on changing them. Just do a find and replace on all the single- and double-quotes and you should be ok.