A lot of thought goes into provisioning and maintaining employees' mailboxes, but little thought typically goes into what to do with those mailboxes after their owners leave the company. Your initial thought might be to delete such mailboxes, but that might not be the best plan—at least not right away. For example, in some cases, immediately hiding the mailbox might be advantageous; in other cases, leaving the mailbox visible but preventing it from receiving new messages might be the best approach.
Maintaining a former employee's mailbox is a good idea for many reasons. The mailbox might contain important messages and documents, so deleting it could erase quotes or proposals related to active projects or important messages that haven't been opened. If the employee organized recurring meetings, associated resources such as conference rooms and equipment are probably reserved for specific time slots. You can't simply transfer the Exchange schedule objects that define the meeting times and resources to another employee; whoever assumes responsibility for the meeting must send new meeting invitations. And most organizations use some type of direct booking or automated resource scheduling, so if the new organizer wants to continue to hold a meeting at the originally scheduled time and use the same resources, the original meeting must first be canceled. If you delete the mailbox, you won't be able to send meeting cancellation notices. In addition, when an employee leaves, you need to let that employee's contacts know that he or she has left the company and tell them who's assuming the employee's responsibilities. Not conveying this information can cause customer- or public-relations problems. Finally, what you decide to do with the mailbox affects system resources.
Nine Exchange configurations and options can help you balance functionality, system stability, and resources when you close out mailboxes. You probably won't use all these configurations when you close out a mailbox. More likely, you'll initially apply a few of them to every mailbox and use some combination of the others as needed to decommission mailboxes over time.
1. Disable, Don't Delete
You need to decide how long to keep closed-out mailboxes online. The version of Exchange you run and how long other people need to access the mailbox content, especially calendars, will factor into your decision. If you run Exchange 2000 Server or later, deleting the Active Directory (AD) account automatically flags the mailbox for deletion and keeps it in the Exchange Store for a period of time referred to as the mailbox recovery window. By default, the mailbox remains in the Store for 30 days after you delete the AD account, but you can change this interval. Although the mailbox is in the Store, it isn't accessible, and you'll need to consider this fact when you determine standard procedures for closing out AD accounts. If other people need to access the mailbox, you'll need to use the Mailbox Recovery Center to disable, not delete, the AD account. As long as the mailbox recovery window hasn't closed, you can still reactivate the account by reassociating it with a new AD account. (For more information about how to reassociate the account, see the Microsoft articles "How to recover or to restore a single mailbox in Exchange Server 2003" at http://support.microsoft.com/?kbid=823176 and "How to Recover or Restore a Single Mailbox in Exchange 2000 Server" at http://support.microsoft.com/?kbid=813337.) This process provides a safety mechanism or buffer for the inevitable last-minute requests to access mailboxes.
Although you can recover a mailbox by reassociating it with a new AD account in Exchange 2000 and later, I recommend that you don't immediately delete the AD account. Microsoft has simplified the process of reassociating a mailbox with a new AD account, but it's still easier to disable the account first, then return later to delete it. I suggest disabling the AD account for 60 days and, when that time is up, deleting the account using the default mailbox recovery window of 30 days. This approach provides ease of access while the organization transitions from the loss of the employee but lets you eventually reclaim the resources. If you want a simple mechanism to keep track of which accounts you need to revisit for deletion, create 12 organizational units (OUs) in AD, one for each month. When you disable an account, move it to the OU for the month in which the account should be deleted. On the last day of each month, delete all accounts in the month's OU. For example, if you disable an account in March and you want to keep the account disabled for 60 days, drag the account to May's OU. Then, on the last day of May, delete all the accounts in that OU. This approach lets you accommodate special situations in which mailboxes need to be kept online longer than the standard window but prevents them from remaining online indefinitely.
If you're running Exchange Server 5.5, deleting the domain account and deleting the mailbox are independent operations. When you delete the domain account, the mailbox remains fully active in the Information Store (IS); you must use the Exchange Server Administrator program to delete it. When you delete the domain account, the mailbox's primary account no longer exists. But any other account that had mailbox permissions can continue to access its content. In addition, Exchange 5.5 doesn't have a recovery window that you can use to reactivate the mailbox after you delete it. If you delete an Exchange 5.5 mailbox, then want to recover its contents, you'll have to restore the entire IS to a recovery server. I generally recommend a 60-day recovery window for Exchange 5.5 environments.
I also use a trick for revisiting Exchange 5.5 mailboxes. Although it isn't as simple as using the AD OUs, it isn't too time-consuming and can even be automated. Create 12 disabled domain accounts, one for each month (e.g., DELEXCH-JAN, DELEXCH-FEB). After you delete the original user's domain account, replace the mailbox's primary Windows NT account with the disabled domain account that represents the month during which you want to delete the mailbox. At the end of each month, you can export the account directory to a .csv file. Search for the accounts that have that month's DELEXCH account set as the primary NT account, then use a .csv file import to delete those mailboxes.
2. Hide the Mailbox and Review Access
Users won't always need immediate access to a closed-out mailbox. If that's the case, hide the mailbox to give the perception that you've deleted the account and to prevent users from using the Global Address List (GAL) to send messages to the account. Hiding the mailbox also makes it a little more difficult for users who have access rights to open it. For example, after you hide a mailbox, users can no longer use the GAL or the automatic name resolution in Outlook to find and open the mailbox by clicking File, Open, Other User's Folder. The hidden mailbox can still be accessed, but doing so requires special knowledge that most users don't have. (Opening a hidden mailbox requires providing the mailbox's distinguished directory name in the /o=organization/ou=Administrative Group or Site/cn=container/cn=mailbox format.) The Microsoft article "XCLN: Mailing to Recipients Hidden from the Address Book" at http://support.microsoft.com/?kbid=142781 describes how to email a hidden recipient; the same concepts apply to the File, Open, Other User's Folder feature.
You should also review delegation assignments and access permissions on the mailbox folders to determine which users might still have access. Consult your security policy to determine whether to remove the permissions. Some organizations leave the decision to the former employee's supervisor; others opt to remove all permissions and regrant access on an as-needed basis.