Month: January 2010

Download the Employee Separation Checklist

I heard from quite a few people about how useful my post was about Employee Separations. As a bonus, I put together a document that breaks out the items into a checklist that you can edit to meet the needs of your environment. No matter how often you are removing user accounts or performing some other similar task, a checklist helps ensure you don’t miss anything in case your work is questioned at a later time.

New Hires – My System Admin Wish List

Last week I wrote about employee separations and the list of things that often need to be considered when an employee leaves. To balance that, here is the list of information I’d like to have handy when a new employee needs access to corporate resources.

  • Proper spelling of the person’s name (and if they have a preferred nickname) – Your company might insist that user accounts and email addresses be based on legal names, but if “Robert” always goes by “Bob” he may prefer “bjones” over “rjones” for his username. If your email global address book is sorted by first names, other staffers might look for Bob first under B, instead of R.
  • Start Date – I want to make sure everything is ready on the proper day. But, it’s also important to let me know if the start date is change or delayed. Most accounts are created with a generic, easy password and I would prefer to not have an active account hanging out there for an extra 2 weeks before the new hire can select a more secure password.

After the name and the start date, everything else tends to drift quickly from the ideal “standard” setup and slips to every employee being just a little bit different. By default, I give every new employee a personal home directory on the file server, access to their departments file share and membership on their department distribution list and any generic office lists, like “All Staff” or “San Francisco Office”.

  • Specialty Distribution Lists – Which other DLs do they need to be on? Contractors and employees might use different DLs. Managers, supervisors, special project lists, etc.
  • Phone Number – Will any available phone number do? Sometimes a hire is destined to replace someone who needs immediate coverage. If that’s not the case, I like to give out a fresh DID or at least one that hasn’t been used in a while. No one likes to spend their first weeks on the job fielding calls that don’t pertain to them. If I’m reusing numbers, I like to keep recycled numbers in the same department if possible. This way the new person in accounting won’t be getting calls directed to the person who retired from HR. And what about calling privileges – local only, long distance, international calling? How about membership in special hunt groups, dial-by-name directory? Do they need call appearances to pick up calls for manager or executive?
  • Applications and Security Groups – Which applications will they be using their first week or so? I know roles evolve and users always need their access adjusted. New hires usually will be learning 2-4 new applications immediately, so concentrate on finding out what those are. I don’t like to “make Bob the same as Joe”, because I know that Joe probably has membership in some security groups that Bob will never need. If the hiring manager can’t give you a list of which applications and data the new hire needs, remind them that security groups and application access are areas that are often looked at closely by auditors.
  • Hardware – What’s standard for others in that department or role? If you have options for different mice or keyboards, let the newcomer know so they can request changes sooner than later. Make sure they are connected to the closest printer to their workspace, etc.
  • Helpdesk Communications – Make sure they know the appropriate ways to submit help desk tickets or report problems. Should they use a ticketing-system? Send email? Call a special number? Pop into you cube? It’s a safe bet that people new to the office don’t want to annoy the IT folks, so set them up for success.
  • Training Documentation – Many departments have manuals or documentation about how various tasks are performed, IT is no different. Voice Mail instructions, conference bridge information, document management system procedures, “how-to” information for common FAQs related to Outlook or other applications… make sure the new hire knows how and where to find those things. It’s much easier help someone do something right the first time than to bother your DBA with bulk corrections to database information that was improperly entered.

Finally, document, document, document! File any forms or emails related to access needs and who authorized the access. Note the date you added or changed access going forward. Not only will this help with any audit needs, proper documentation can make it easier to remove access completely when someone leaves the company in the future.

Confessions of a new MVP

I confess. I’ve been a Microsoft MVP for less than 2 weeks and I didn’t realize what I was getting into. There is a well-known quote from “The Matrix” where Cypher says to Neo, “I know what you’re thinking, ’cause right now I’m thinking the same thing. Actually, I’ve been thinking it ever since I got here: Why oh why didn’t I take the BLUE pill?

I thought I had a pretty good handle on what resources I had available to me as an IT professional. TechNet, conferences, white papers, sponsored webcasts, blogs, books, user groups, training classes… My schedule was easy to fill.

And then comes the MVP award. Sure, I could just hang my certificate in my cube and call it a day. After all, it’s an award for recognizing past contributions to the tech community. But turns out its more than just an award. It’s a door to a world of resources and information that I didn’t know existed.

Barely a week has passed and I find myself trying to be realistic about the amount of information I can actually consume in the next year. There are more webcasts and chats and online meetings and downloadable resources than I can even begin to get my head around. I feel like a kid in a candy store, or perhaps like someone in the TV aisle of Best Buy, trying to figure out where to focus my attention first.

I’m sure I’ll have a better handle on what direction I should be facing as I get more comfortable with the ins and outs of the program. I’m looking forward to being able to use this experience as a way to give back to all those who’ve helped me out of a jam with a timely blog post or magazine article. But until then it seems like I’m back at my first days as a high school freshman. Does anyone know the way to the cafeteria?

My 2010 Reading List: So Far

It’s unfortunate that I feel like I’m starting the year already behind on my “tech” reading list. Here’s a quick list of I have within arms reach.

In addition to books, I’ve downloaded several whitepapers onto my Kindle for those free moments on the subway:

Managing Employee “Separations”

It happens at every workplace. Employees leave – layoffs, retiring, or just moving on to new things. As a systems administrator, I wish that managers understood how deeply integrated a staff-person is with the computer systems they work on daily. It’s not always a simple process to undo someone’s existence.

Processing exiting employees without identity lifecycle tools can be tedious, but it’s often the way things are done in small and medium sized businesses. I realize that several days notice isn’t always possible, but I can hope. I’ll even take a few hours of notice. However, we’ve all gotten that call at ten minutes to 5:00pm letting use know that someone won’t be coming in the next day.

I have my list of basic things I’d like a department manager to think about when it comes to seeing an employee off. The first couple can get me out out the door on time, the rest of them tie things up in a nice package.

Before beginning, it’s important to make sure the employee REALLY is leaving. It’s not unheard of to get several days of notice about a separation, complete account closure process, and then find out that the employee will be contracting from time to time and needs access when they are on-site.

  • What time should their network account be disabled? – Ideally this is before someone in the NetOps department leaves for the day. Worst case is having to set an account expiration, as midnight often comes a long time after the employee has walked out with their final paycheck.
  • Do they have remote access? – If yes, I disable that ASAP. This way if the network account has to stay active for longer than I’d like at least they have to be physically in the office log on.
  • Email Forwarding – Is it needed? If so, I like to turn that on as soon as possible so that any incoming emails (especially over a weekend) are not missed.
  • Phone and Voicemail – Is any call forwarding needed? For the same reasons as email, I don’t want any voicemail messages missed or left unchecked for too long.
  • Building Access – Has the access to office space been removed? Network Operations isn’t always responsible for physical access and that needs to coordinated as well.

Now those are just my “get-things-under-control” checklist. Then comes the rest of the things that need to be considered, but most managers really don’t know to mention them ahead of time.

  • Email History – Do someone need a copy of their email box? Does the user have any PST files that need to be located and preserved?
  • Distribution Lists – Is the user the sole member of any distribution lists? If so, removing them and leaving the DL empty will cause messages to go undelivered and lost. A new contact person needs to be designated.
  • Work Files – Does the user have a home folder or area where they store work products? Do these files need to be preserved?
  • Phone System – Is the user a destination for any phone tree options, a member of a workgroup or hunt groups?
  • Application Management – Is the user the sole owner/manager of other important enterprise products like databases or SharePoint sites? Those roles will need to be assigned to someone else. Is there any applications that regularly delegate specific tasks that would need to be reassigned to a co-worker?
  • External Systems – Does the user have any accounts with third-party systems (not AD or Windows-integrated) or external systems with other partners or clients where access would need to be removed separately?
  • Locally Installed Applications or Hardware – Do they have some special applications or hardware installed on their workstations that need to be set up for another staff member?

Finally, there is usually a change control process that documents what was done to close the network account of the user so items weren’t overlooked. In a perfect world, the manager in question would have filled out the necessary forms ahead of time, but I’ll settle for some quick answers over email that I can file in our document management system.

Every company will have it’s only list of tasks, but the premise is the same. Securing critical data and making sure that customers continue to be served after the departure of an employee are important aspects of any systems administrator’s job.

Thoughts on Air Travel Security

I know that airport security is probably pushing it when it comes to technology topics, but one can’t help but miss all the recent hoopla regarding airline travel lately.

I travelled to the east coast over the holidays (after the Christmas day incident) and had mixed feelings about the fact that security screenings were no better, nor no worse than they had been the past year. My husband got the extra “pat down” during our return trip, but stated that he’d been physically screened more significantly when going to a music concert. Overall, I find the current system to be more “security theater” than not. I’m sure that the current procedures do discourage some more casual attempts to cause harm, but when someone is determined its possible to circumvent the system.

While it’s important to look for metal items that could be used as weapons, TSA still can not consistently detect explosives on passengers or in carry-on luggage. Personally, I would be willing to bring less into the cabin of the plane and tolerate having it more closely screened, if it meant that I would have unlimited access to those items for the duration of the flight and would not have my movements unnecessarily restricted.

Granted this would mean making improvements in the baggage handling systems and require airlines to charge less for checked baggage in order to restore confidence in handing one’s bag over to an agent. However less carry-on luggage would allow for faster passenger screening – either by hand, machine or trained dog.

On Sunday, EWR was partly shut down due to someone entering through an exit into a secure area. I am surprised this doesn’t happen more often. Airports are busy often confusing places, filled with distracted people who want to be someplace else. What concerns me is that they never found the guy. Clearly airports need to take a sheet from the casino playbook when it comes to installing video surveillance systems. Hundreds of travelers could have avoided being rescreened and flights could have operated as usual if TSA could have simply tracked down the errant man.

Security works best when it’s unobtrusive and consistently applied. While random screening procedures do have their place, it’s not practical to make traveling more frustrating for the majority of the population by adding to the confusion with knee-jerk restrictions that don’t address the obvious issues. If nothing else, TSA does lend itself to some great tweets. Check out this travel blog post that calls out seven of them.

UberTwitter – Beta 6 Released

I was happy to discover that 2010 brought an updated release to my favorite Twitter client for the BlackBerry, UberTwitter. This release supports some of the new features of Twitter, including lists and the updated retweet function. In addition to the added functionality, the UI has been updated to make it easier to access your DM and @ replies. The application icon looks a little too close to the Facebook icon on the BlackBerry for my taste, but perhaps that was done on purpose.

I’ve been using the free version, which has some advertising, but decided to spent the nominal fee to upgrade to the paid version this year. Since I’ve been using Twitter more and more to communicate with other tech-minded folk and get news, I figure it’s the least I can do.

See you in the Twitterverse!

New Year, New Adventure

I was excited to wake up this morning to an email from the Microsoft MVP Program, congratulating me on earning an award for 2010 in the technology area of “Windows Desktop Experience.” I’m honored to have the chance to be part of this group and continue to contribute to the technology community.

After nearly 10 years of being part of the Pacific IT Professionals user group, I think this type of community might just be in my blood. I hope this award allows me to bring even more benefits to our growing group of IT professionals.

I’m looking forward to learning more about Microsoft and meeting other fellow MVPs at the upcoming summit in February. Here’s to 2010!