• State Suggested Answer
  • Locked Locked
  • Replies 11 replies
  • Answers 1 answer
  • Subscribers 62 subscribers
  • Views 14075 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Need a way to not delete an account that is marked for litigation hold

todd_tobias
over 7 years ago

Hello Community,

 

I'm trying to find a way that i can incorporate into my standard Deprovision Policy explained below.

Corp deprovisioning policy for users.
Disable Account
Sets Password Random
Group membership – Remove!
Exchange Mailbox – disable / Hide from GAL
HomeFolder – disable / remove user access
Move to OU=Disabled Users
Delete in 30 days 
Description = “Terminated YYYY-MM-DD by <Account> - %description%”

 

I need to add the following somehow Delete in 30 days "only if LitigationHoldEnabled AD attribute is FALSE

 

Anyone can give me any help?

Thank you

 

Todd Tobias

Todd_Tobias@ultimatesoftware.com

  • 0 over 7 years ago
    A "codeless" way to handle this would be to have two separate OUs for the Deprovisioned Users:

    One for those with litigation hold and one for those without. Then just have two policies applied appropriately on the respective OUs i.e. one with the 30 days and one without.
  • 0 over 7 years ago
    or msExchLitigationHoldDate is present
  • 0 over 7 years ago
    Hello Todd,

    I created a solution some time ago which should be useful:

    Title: Triggering the Automatic Deletion of Microsoft Exchange Mailbox X days after Deprovisioning
    Solution Number: 153541
    URL: support.quest.com/.../153541
  • 0 over 7 years ago
    Only thing is only special individuals know if an account is on litigation hold, also the account may be enabled, but only on Hold..
  • 0 over 7 years ago
    I basically need to not delete the account and mailbox if its marked on msExchLitigationHoldDate is present
  • 0 over 7 years ago
    Understood. You could probably achieve this easily with an AR workflow that:

    1) Detects the user deprovision action (trigger condition)
    2) Checks to see if msExchLitigationHoldDate is populated (Within the workflow, an If / Then Activity on the user property)
    3) If it is populated, then clear the deprovision date virtual attribute (built in "Update" activity)
  • 0 over 7 years ago

    create two separate MUs with separate Deprovision Policies attached to them.
    MU1(LitigationHoldEnabled -eq True) -Deprovision1 with No Account, Mbx deletion
    MU2(LitigationHoldEnabled -ne True or Empty) -Deprovision2 with Account, Mbx deletion in X days

  • 0 over 7 years ago

    I have dealt with this type of thing in several ways, what I have found most effective is to move these accounts in particular to a protected type of OU, and have them 'prevent from accidental deletion'. Ensure that you either clear, or do not set the attribute edsvaDeprovisionDeletionDate, also set edsvaProtectFromDeletion = True.

    I would try to avoid workflows as much as possible, they seem to work best for cleanup tasks and searching, but not as something to be relied upon for this type of production. Though you can, I just don't recommend it.

  • 0 over 7 years ago
    This coupled with Aidars approach to deprovision policy scope to the Managed Units would work well.
  • 0 over 7 years ago
    edsvaProtectFromDeletion is not found on my system is this something i need to create as a Virtual Attb.?