4

Is there a way to make a global change to either Exchange or group policy so if an email is received from an email address it will not go into the users mailbox but be forwarded on instead.

Basically we do not want personal information being forwarded on to other users when their OOF is on.

... Alternatively is there a way to set OOF so that it does not forward on an email from a specific address and puts it in the users inbox but forwards on the rest of the emails as it would normally do?

Just to completely clarify things. Our users use Out of Office which forward on their emails when they are away on holiday so other users can chase up their work. However we have a new HR system that emails out to everyone and we do not want that email to be forwarded on when they are on holiday to another user. Or alternatively the email in question gets forwarded on to a specified mailbox when OOF is on and the rest of the emails go to the User dealing with their work.

Matt
  • 579
  • 5
  • 11
  • 24
  • 1
    This is confusing. In the first bit you say you want it forwarded, in the second bit, you say you do not want it forwarded. :/ – HopelessN00b Jun 18 '14 at 14:26
  • To clarify. If a user has their OOF on, an email sent from a certain address being received is sent to another mailbox (one allocated). Not to be forwarded to another user taking over the emails of the user while they are away or on holiday. – Matt Jun 18 '14 at 15:20
  • 1
    There isn't native functionality in Exchange to do what you're looking for. I asusme youre looking for something client-side controllable (like OOF is), so I think your best bet is to train the user not to use OOF and, instead, to replicate the functionality using Outlook rules (http://bit.ly/1jM6Y39). It's ugly, because you'll need the user to leave Outlook open while out (and, if Outlook gets closed and re-opened, it will lose track of the recipients it has sent OOF messages to already). You should have enough flexibility in Outlook rules, though, to do what you're looking for. – Evan Anderson Jun 24 '14 at 22:22
  • I've previously advised users to create rules like this from the ECP interface, as it prevents them adding anything that requires Outlook to be running. – James Ruskin Jun 25 '14 at 12:50
  • I'd like to just add as more of an FYI that earlier a comment was posted about Transport Rules not being able to know whether OOO was on or not so it wouldn't work that well and it really doesn't matter if OOO can be detected by Transport Rules or not. The Rule, if set up correctly, would apply all of the time whether OOO was on or not on the client side; of course you would want to target the HR specific email that sends personal info rather than all communications from them, but it would, in fact, work without the previously stated drawback. – Brad Bouchard Jun 26 '14 at 14:48
  • @Brad, agree. I totally thought the same thing about that comment. You would want to restrict private email from forwarding regardless of OOO status. – Joshua Huber Jun 26 '14 at 18:08
  • @JoshuaHuber glad I wasn't the only one... congrats on the bounty, and a well formatted answer my friend. – Brad Bouchard Jun 26 '14 at 18:50

3 Answers3

1

I haven't done this, but it seems like you could probably do this in Exchange 2010/2013 using Information Rights Management (IRM). If you've ever seen Outlook messages marked as "Do not forward", this is what I'm talking about. You can configure it in Exchange Management Console from the Hub Transport server or via the New-OutlookProtectionRule cmdlet.

Some examples of similar IRM rules using the cmdlet:

New-OutlookProtectionRule
    -Name "IT Confidential"
    -SentTo "it@elieb.info"
    -ApplyRightsProtectionTemplate "Do Not (Forward/Reply)"

New-OutlookProtectionRule
    -"Legal-Do Not Forward"
    -FromDepartment Legal
    -ApplyRightsProtectionTemplate "Do Not Forward"

Links:

http://help.outlook.com/en-us/140/gg598216.aspx

https://www.simple-talk.com/sysadmin/exchange/an-introduction-to-information-rights-management-in-exchange-2010/ - This site is well presented and has an example of:

protecting any incoming mail that contains the keyword “Salary” in its subject field with the “Do Not (Reply/Forward)” template

Joshua Huber
  • 807
  • 5
  • 7
  • Hi Joshua, Thank you - this is the sort of thing I was looking for. I have checked the Transport rules and there is "rights protect message with RMS template" which is blank when you click edit, so im looking into creating a Do not Forward Rule. I hope im on the correct path now. Matt – Matt Jun 24 '14 at 14:35
  • Wow, so the OP liked my answer and upvoted it. Then later, another answer is posted which expanded on my answer and had a nice JPEG, but became a mini-flame war and somehow I got downvoted in the process. Speechless. Anyhow, about to post another somewhat different answer ... stay tuned. – Joshua Huber Jun 25 '14 at 13:09
  • Yes I do not get it either, Im currently checking this out its been very helpful. – Matt Jun 25 '14 at 13:14
  • Got me too. I was gonna post a hacky PS script to run as a scheduled task to achieve the same thing, but this is a much better approach, provided it works. – HopelessN00b Jun 25 '14 at 17:11
  • It looks as though our system is not setup for IRM. Im intrigued about the RMS templates in the Transport rules but will need assistance in setting it up, so this looks like the best answer so far and closest to the solution. – Matt Jun 26 '14 at 11:11
  • I just cannot believe such a relatively simple thing has turned out to be quite difficult. All I wanted was OOO not to forward on one email address but forward the rest :). – Matt Jun 26 '14 at 11:14
1

You could use one of two methods, both require some input/work from the end user and the IT staff.

Option 1: Use Outlook Rules and apply a rule that states that when an email is received from HR to not forward it (whether by OOF or some other means). The problem here, is that you have to leave Outlook running on the users computer for the rule to function correctly. You also can't account for something like a power outage or the computer going to sleep and disconnecting Outlook altogether; in those scenarios someone would have to log back in as the user and open Outlook again.

Option 2: Use Transport Rules on the Exchange server which is cleaner, but requires your user to notify IT when they are going on vacation/holiday.

For Transport Rules, you'll find these (in 2010 for example) in the Exchange Management Console > Organization Configuration > Hub Transport.

From here you could create a new rule and apply it to certain groups (if you want the rule applied to specific people, make an Active Directory Security Group and add people to it, then apply this rule to that Group), or to everyone. The rule could do one of many different things. See my screenshot below for an example of 4 helpful, and closely related to what you're talking about, things:

enter image description here

Give me a real life example of what you're talking about in your company and I could probably help you design the Transport Rule. Let me know your thoughts on this. Thanks.

EDIT

I should note that my solution caters much more to the author's original question (or first of three I should say) which was:

Is there a way to make a global change to either Exchange or group policy so if an email is received from an email address it will not go into the users mailbox but be forwarded on instead.

Brad Bouchard
  • 2,507
  • 2
  • 12
  • 22
  • A transport rule can't know if the user's OOF is enabled. This is also not client-side configurable, so presumably when the user needs this enabled they'll need to contact IT support. – Evan Anderson Jun 24 '14 at 20:39
  • I wouldn't presume that they want this functionality on the client side. This is something that I, as an admin, would want to control even if I trust my users. It's the Reagan system; trust, but confirm. And, this still solves his (let's be honest it's quite the question/request) initial request of not allowing the message to go to the user's inbox, but rather be transported somewhere else. Not quite understanding the downvote. – Brad Bouchard Jun 24 '14 at 21:49
  • The OP says "Basically we do not want personal information being forwarded on to other users when their OOF is on." Transport Rules can't know if the OOF is on, ergo Transport Rules don't solve the OP's problem. Further, since the user is the one who turns OOF on and off it seems reasonable to assume the OP wants client-side controllable functionality that comes on and goes off when OOF is enabled or disabled by the user. – Evan Anderson Jun 24 '14 at 22:03
  • You skipped right over the first sentence in the original question which says... "Is there a way to make a global change to either Exchange or group policy so if an email is received from an email address it will not go into the users mailbox but be forwarded on instead." That my friend, is what I addressed. Not sure how that isn't clear to you. – Brad Bouchard Jun 24 '14 at 22:09
  • 2
    You're absolutely right! The second and third paragraphs are meaningless. Surely the OP didn't include those for any reason, and definitely not to further describe their business need. I should have stopped reading after the first paragraph since there is a technically correct answer to that bit that doesn't take into account the messy details of actual business needs. The fact that the OP put "OOF" in the question title doesn't mean OOF is at all important. >sigh< We wonder, in our industry, why people become infuriated with IT support not giving them what they want. I mean, come on! – Evan Anderson Jun 24 '14 at 22:18
  • I'll be sure to take off that downvote if you drop on an edit and my vote is unlocked. Heck, I'll even upvote you, since you technically do "solve" the OP's problem. I'll even delete my answer, too, because I wouldn't want to appear biased. (I will, however, throw my answer into a comment so the OP can, at least, see what I had some thoughts about it.) I certainly wouldn't want to stand in the way of a "technically correct" answer winning out. – Evan Anderson Jun 24 '14 at 22:26
  • If it is, in fact, that important to you, then you win. I edited my answer to reflect the fact that my solution caters much more to his first question rather than his last 2; although it does address 2 of the 3 very well. I'd like to say that in my opinion it's spats like these between admins like us that infuriate people with IT as much or more than not giving them what they want as you put it. I didn't set out to indulge in a meaningless (IMHO) argument with you, but simply wanted to provide a solution to an already convoluted question. Forgive me if I offended you. – Brad Bouchard Jun 24 '14 at 22:39
  • Hi, Just to completely clarify things. Our users use Out of Office which forward on their emails when they are away on holiday so other users can chase up their work. However we have a new HR system that emails out to everyone and we do not want that email to be forwarded on when they are on holiday to another user. – Matt Jun 25 '14 at 11:44
0

An alternate answer and perspective, hopefully much simpler: Using sensitivity headers + IRM. Read on...

Outlook/Exchange already supports "sensitivity" properties of an email, but they are advisory only until you enable IRM. In other words, I can send you an email and set it as sensitivity=Private, but when you view the email, you simply see an info tip the email is private -- you could still forward it, or worse your OOF would still forward it. When you enable IRM, you could set a policy that restricts forwarding of emails with Personal sensitivity (and probably as well Private and Confidential sensitivities).

This solution would have side benefit that if Mary sends Bill a Private email about how bad the boss smells, but Bill is OOF, the email will not be forwarded. I would think that users would expect this by default: if you send someone a "Private" email, you don't expect it to be auto-forwarded to someone else.

The crux of in the approach is you will need to get the new HR program to set the sensitivity header on the email. If not possible, there's still hope: you might be able to have Exchange use a server-side rule that tags all emails from the HR address as sensitivity Personal. These sensitivity headers are not as proprietary as you'd think -- Microsoft actually followed RFC 2156 https://www.rfc-editor.org/rfc/rfc2156#section-5.3.4. So in theory, a non-Microsoft sender could activiate these sensitivity flags on an email. My instinct is that I even good-old Unix sendmail could send emails as Personal by adding the flag in the MIME header. Haven't tested yet -- would love to see if it works for you.

Less maintenance. If you're the Exchange admin, you want a simple solution. If 20 departments want some emails to not auto-forward, you don't want to set up and maintain 20 rules. You would just tell them that they need to set the email header as Personal, Private, or Confidential, as appropriate. One rule to rule them all.

Let the business decide which ones they want to mark as sensitive, and let Exchange/Outlook use IRM to uphold the business' wishes. Best yet, if you have an HR system that sends different kinds of emails, some are personal (about your disability benefits regarding your recent tuberculosis), some are not so personal (letting people know there's still 7 days left in HR open enrollment; letting people know there's going to be maintenance this weekend and the HR system will be unavailable Sunday ...).

Serverfault: Which mail header does Outlook 2003+ use to indicate the confidentiality?

enter image description here

enter image description here

Community
  • 1
Joshua Huber
  • 807
  • 5
  • 7
  • wth? Who keeps downvoting my answers? Step up and add a comment if you find something wrong with my approach. – Joshua Huber Jun 26 '14 at 15:05
  • I also got downvoted today too without any comments or explanation and I'm not sure why. – Brad Bouchard Jun 26 '14 at 16:13
  • Takes a lot of nerve to downvote someone, whoever is doing this, especially with no comment. I practically never downvote unless a question or answer is really off-base or does not meet quality, which is rare. I actually did research to come up with this answer, only to have my lose -2 reputation from the downvote. Your answer was constructive and added to the thread, too. I surely didn't downvote you. – Joshua Huber Jun 26 '14 at 16:19