In most large organizations, the Active Directory (AD) team and Messaging Team are separate, and in most cases don't coordinate their account operations very much...meaning they don't talk to each other, until it's too late.
Case in point: A user's mailbox is under Litigation Hold. The Exchange admins know this, the AD admins don't. The AD admins delete the AD account from Active Directory Users and Computers (ADUC) effectively disabling the mailbox...and all content needed for legal hold goes with it.
An easy way to prevent this from happening is to set the AD Account description field with something like "Litigation Hold - Do Not Delete" and setting the "Prevent Accidental Deletion" flag to Enabled on the Object.
For that purpose, I've created the following script which will prompt you for a user, append the description, and enable prevent delete.
Instead of manually setting Litigation Hold in Exchange, run this script in the Exchange Management Shell (EMS), which will set everything for you. Then when the AD admins look at the account, they'll hopefully see the "Do Not Delete" description and even if they try, ADUC will throw an error that it's protected from deletion!
**Note** We run ServiceNow (SNOW) in our environment, which has the power to delete AD accounts. Through my testing, SNOW honors the Prevent Deletion flag as well and will throw an error, so I would assume most automation suites would too.
You can grab the script from my GDrive or copy/paste the following block into Notepad and save as "Set-Litigation-ADProtection.ps1":
#######################################################
# This script will prompt you for a mailbox, then
# set Litigation Hold, change AD description,
# and set AD deletion protection on account
#
# Run Set-Litigation-ADProtection.ps1 in the EMS
#
# Stacey Branham
#
# 2021
#######################################################
$name = Read-Host "Enter a username"
##Append legal hold disclaimer to AD Description Field
Get-ADUser "$name" -Properties Description | ForEach-Object {Set-ADUser $_ -Description "$($_.Description) - Do Not Delete - Legal Hold"}
##Enable accidental deletion protection on account
Get-ADUser "$name" | ForEach-Object {Set-ADObject -Identity $_ -protectedFromAccidentalDeletion $True}
##Enable Litigation Hold on Mailbox
Set-Mailbox "$name" -LitigationHoldEnabled $true
Start-Sleep -s 30
##Checking Our Work
Get-Mailbox "$name" | FL Name,LitigationHoldEnabled,@{N='Description';E={(Get-ADUser $_.Name -properties description).Description}},@{N='Protected';E={(Get-ADUser $_.Name -properties *).ProtectedFromAccidentalDeletion}}
Write-Host "All Done, check the above settings! `n`n" -ForegroundColor Green
**Note** You can change the "- Do Not Delete - Legal Hold" in the 3rd line to something of your choosing...that is what will be appended to the current Description Field.
**Note** If you have a large AD environment, with slow replication, you may need to change the "Start-Sleep -s 30" to 60 or higher to give it time for the "Set" cmdlets to finish.
Now, your users under Hold won't be deleted and you'll save yourself the headache of de-tombstoning the AD account and reconnecting the mailbox!
No comments:
Post a Comment