It happens at every workplace. Employees leave – layoffs, retiring, or just moving on to new things. As a systems administrator, I wish that managers understood how deeply integrated a staff-person is with the computer systems they work on daily. It’s not always a simple process to undo someone’s existence.
Processing exiting employees without identity lifecycle tools can be tedious, but it’s often the way things are done in small and medium sized businesses. I realize that several days notice isn’t always possible, but I can hope. I’ll even take a few hours of notice. However, we’ve all gotten that call at ten minutes to 5:00pm letting use know that someone won’t be coming in the next day.
I have my list of basic things I’d like a department manager to think about when it comes to seeing an employee off. The first couple can get me out out the door on time, the rest of them tie things up in a nice package.
Before beginning, it’s important to make sure the employee REALLY is leaving. It’s not unheard of to get several days of notice about a separation, complete account closure process, and then find out that the employee will be contracting from time to time and needs access when they are on-site.
- What time should their network account be disabled? – Ideally this is before someone in the NetOps department leaves for the day. Worst case is having to set an account expiration, as midnight often comes a long time after the employee has walked out with their final paycheck.
- Do they have remote access? – If yes, I disable that ASAP. This way if the network account has to stay active for longer than I’d like at least they have to be physically in the office log on.
- Email Forwarding – Is it needed? If so, I like to turn that on as soon as possible so that any incoming emails (especially over a weekend) are not missed.
- Phone and Voicemail – Is any call forwarding needed? For the same reasons as email, I don’t want any voicemail messages missed or left unchecked for too long.
- Building Access – Has the access to office space been removed? Network Operations isn’t always responsible for physical access and that needs to coordinated as well.
Now those are just my “get-things-under-control” checklist. Then comes the rest of the things that need to be considered, but most managers really don’t know to mention them ahead of time.
- Email History – Do someone need a copy of their email box? Does the user have any PST files that need to be located and preserved?
- Distribution Lists – Is the user the sole member of any distribution lists? If so, removing them and leaving the DL empty will cause messages to go undelivered and lost. A new contact person needs to be designated.
- Work Files – Does the user have a home folder or area where they store work products? Do these files need to be preserved?
- Phone System – Is the user a destination for any phone tree options, a member of a workgroup or hunt groups?
- Application Management – Is the user the sole owner/manager of other important enterprise products like databases or SharePoint sites? Those roles will need to be assigned to someone else. Is there any applications that regularly delegate specific tasks that would need to be reassigned to a co-worker?
- External Systems – Does the user have any accounts with third-party systems (not AD or Windows-integrated) or external systems with other partners or clients where access would need to be removed separately?
- Locally Installed Applications or Hardware – Do they have some special applications or hardware installed on their workstations that need to be set up for another staff member?
Finally, there is usually a change control process that documents what was done to close the network account of the user so items weren’t overlooked. In a perfect world, the manager in question would have filled out the necessary forms ahead of time, but I’ll settle for some quick answers over email that I can file in our document management system.
Every company will have it’s only list of tasks, but the premise is the same. Securing critical data and making sure that customers continue to be served after the departure of an employee are important aspects of any systems administrator’s job.