However, departures are also very important, particularly when it comes to security, license costs and database pollution in IT environments. There can also be an urgent need to shut down accounts and to revoke privileges when disgruntled employees leave the company. However, we can distinguish a difference in priority between directly shutting down user accounts and the eventual cleanup of resource data.
An important aspect to consider is the moment an employee leaves service. Invariably, this information is stored in an HRM system or payroll suite as an organization is sure to discontinue the employee’s salary payments. However, this information all too seldom reaches IT. In many cases, IT will launch its own cleanup initiatives after an internal investigation (last login on the network).
A number of examples are given below of scenarios we have implemented for customers:
Before the employee leaves service:
- Send an e-mail notification to the employee and his or her manager 2 weeks before the contract expires. This notification should indicate which action should be taken and when the user accounts and privileges will be revoked.
- Send an additional notification during the last 2 days before expiration of the contract.
The day the employee leaves the company:
- Block (disable) the login in Active Directory. It is also possible to leave the account active and to exclusively allow login to a non-existing workstation. In this way it will still be possible to access resources such as the Exchange mailbox.
- Migrate the account to a special OU.
- Revoke group memberships with the exception of distribution groups (to prevent NDRs to distribution groups).
- Optionally, stall the blocking of the account for x amount of days if employees are offered a grace period.
- Transfer mail and data privileges to another user, e.g. a manager. You can do so by assigning/overwriting privileges or by copying these resources to the manager’s environment in their entirety.
- Create a closed call in helpdesk system, such as Track-It, with a description of the account block.
- Downstream provisioning: block the user in application X.
After a certain blocking period:
- Delete the account.
- Migrate the associated data (home directory, profile, terminal server home directory and/or profiles), to an archive folder.
- Export the Exchange mailbox to a PST file and save it on an archive server.
- Completely remove all mail and data (optional).
It is possible to have these scenarios carried out in an automated and phased way. Alternatively, parts of these scenarios could also be performed manually through the use of electronic forms. For instance, it is common to have the notification and blocking performed automatically but to perform the definitive removal manually by having a user click a Remove button.