Is there a way to make a global change to either Exchange or group policy so if an email is received from an email address it will not go into the users mailbox but be forwarded on instead.
Basically we do not want personal information being forwarded on to other users when their OOF is on.
... Alternatively is there a way to set OOF so that it does not forward on an email from a specific address and puts it in the users inbox but forwards on the rest of the emails as it would normally do?
Just to completely clarify things. Our users use Out of Office which forward on their emails when they are away on holiday so other users can chase up their work. However we have a new HR system that emails out to everyone and we do not want that email to be forwarded on when they are on holiday to another user. Or alternatively the email in question gets forwarded on to a specified mailbox when OOF is on and the rest of the emails go to the User dealing with their work.
I haven't done this, but it seems like you could probably do this in Exchange 2010/2013 using Information Rights Management (IRM). If you've ever seen Outlook messages marked as "Do not forward", this is what I'm talking about. You can configure it in Exchange Management Console from the Hub Transport server or via the
New-OutlookProtectionRulecmdlet.Some examples of similar IRM rules using the cmdlet:
Links:
http://help.outlook.com/en-us/140/gg598216.aspx
https://www.simple-talk.com/sysadmin/exchange/an-introduction-to-information-rights-management-in-exchange-2010/ - This site is well presented and has an example of:
You could use one of two methods, both require some input/work from the end user and the IT staff.
Option 1: Use Outlook Rules and apply a rule that states that when an email is received from HR to not forward it (whether by OOF or some other means). The problem here, is that you have to leave Outlook running on the users computer for the rule to function correctly. You also can't account for something like a power outage or the computer going to sleep and disconnecting Outlook altogether; in those scenarios someone would have to log back in as the user and open Outlook again.
Option 2: Use Transport Rules on the Exchange server which is cleaner, but requires your user to notify IT when they are going on vacation/holiday.
For Transport Rules, you'll find these (in 2010 for example) in the Exchange Management Console > Organization Configuration > Hub Transport.
From here you could create a new rule and apply it to certain groups (if you want the rule applied to specific people, make an Active Directory Security Group and add people to it, then apply this rule to that Group), or to everyone. The rule could do one of many different things. See my screenshot below for an example of 4 helpful, and closely related to what you're talking about, things:
Give me a real life example of what you're talking about in your company and I could probably help you design the Transport Rule. Let me know your thoughts on this. Thanks.
EDIT
I should note that my solution caters much more to the author's original question (or first of three I should say) which was:
An alternate answer and perspective, hopefully much simpler: Using sensitivity headers + IRM. Read on...
Outlook/Exchange already supports "sensitivity" properties of an email, but they are advisory only until you enable IRM. In other words, I can send you an email and set it as sensitivity=Private, but when you view the email, you simply see an info tip the email is private -- you could still forward it, or worse your OOF would still forward it. When you enable IRM, you could set a policy that restricts forwarding of emails with Personal sensitivity (and probably as well Private and Confidential sensitivities).
This solution would have side benefit that if Mary sends Bill a Private email about how bad the boss smells, but Bill is OOF, the email will not be forwarded. I would think that users would expect this by default: if you send someone a "Private" email, you don't expect it to be auto-forwarded to someone else.
The crux of in the approach is you will need to get the new HR program to set the sensitivity header on the email. If not possible, there's still hope: you might be able to have Exchange use a server-side rule that tags all emails from the HR address as sensitivity Personal. These sensitivity headers are not as proprietary as you'd think -- Microsoft actually followed RFC 2156 https://www.rfc-editor.org/rfc/rfc2156#section-5.3.4. So in theory, a non-Microsoft sender could activiate these sensitivity flags on an email. My instinct is that I even good-old Unix
sendmailcould send emails as Personal by adding the flag in the MIME header. Haven't tested yet -- would love to see if it works for you.Less maintenance. If you're the Exchange admin, you want a simple solution. If 20 departments want some emails to not auto-forward, you don't want to set up and maintain 20 rules. You would just tell them that they need to set the email header as Personal, Private, or Confidential, as appropriate. One rule to rule them all.
Let the business decide which ones they want to mark as sensitive, and let Exchange/Outlook use IRM to uphold the business' wishes. Best yet, if you have an HR system that sends different kinds of emails, some are personal (about your disability benefits regarding your recent tuberculosis), some are not so personal (letting people know there's still 7 days left in HR open enrollment; letting people know there's going to be maintenance this weekend and the HR system will be unavailable Sunday ...).
Serverfault: Which mail header does Outlook 2003+ use to indicate the confidentiality?