Active Directory clean up

Posted by
March 28, 2011

IDENTITY MANAGEMENT – DE-PROVISIONING: AN EMPLOYEE LEAVES THE COMPANY

There are often three scenarios to consider when tackling Identity Management: new hires, transfers and departures. Invariably, the onboarding process for a new employee is given the highest priority and emphasis. After all, most organizations do want to ensure new employees can be productive from the get-go. Transfers are often given a lower priority though it all depends on the organization’s maturity level with regard to security and role management.

However, departures are also very important, particularly when it comes to security, license costs and database pollution in IT environments. There can also be an urgent need to shut down accounts and to revoke privileges when disgruntled employees leave the company. However, we can distinguish a difference in priority between directly shutting down user accounts and the eventual cleanup of resource data.

An important aspect to consider is the moment an employee leaves service. Invariably, this information is stored in an HRM system or payroll suite as an organization is sure to discontinue the employee’s salary payments. However, this information all too seldom reaches IT. In many cases, IT will launch its own cleanup initiatives after an internal investigation (last login on the network).

A number of examples are given below of scenarios we have implemented for customers:

Before the employee leaves service:

  • Send an e-mail notification to the employee and his or her manager 2 weeks before the contract expires. This notification should indicate which action should be taken and when the user accounts and privileges will be revoked.
  • Send an additional notification during the last 2 days before expiration of the contract.

The day the employee leaves the company:

  • Block (disable) the login in Active Directory. It is also possible to leave the account active and to exclusively allow login to a non-existing workstation. In this way it will still be possible to access resources such as the Exchange mailbox.
  • Migrate the account to a special OU.
  • Revoke group memberships with the exception of distribution groups (to prevent NDRs to distribution groups).
  • Optionally, stall the blocking of the account for x amount of days if employees are offered a grace period.
  • Transfer mail and data privileges to another user, e.g. a manager. You can do so by assigning/overwriting privileges or by copying these resources to the manager’s environment in their entirety.
  • Create a closed call in helpdesk system, such as Track-It, with a description of the account block.
  • Downstream provisioning: block the user in application X.

After a certain blocking period:

  • Delete the account.
  • Migrate the associated data (home directory, profile, terminal server home directory and/or profiles), to an archive folder.
  • Export the Exchange mailbox to a PST file and save it on an archive server.
  • Completely remove all mail and data (optional).

It is possible to have these scenarios carried out in an automated and phased way. Alternatively, parts of these scenarios could also be performed manually through the use of electronic forms. For instance, it is common to have the notification and blocking performed automatically but to perform the definitive removal manually by having a user click a Remove button.

 

Would you like to know more about how UMRA can help you maintain a clean data visit our website: www.tools4ever.com

 

Identity and Access Management

Did you enjoy this post? Why not leave a comment below and continue the conversation, or subscribe to my feed and get articles like this delivered automatically to your feed reader.

Comments

No comments yet.

Leave a comment

(required)

(required)


CAPTCHA Image
*