Last time we talked about what to do when a Client Hires a New Employee. This article will address the other side of that issue: When a Client's Employee Leaves.
Obviously, employees leave for lots of reasons. They take new jobs, get married, move for family reasons, get fired, get promoted to another office, etc. So departures need to be handled differently. In addition, companies have different security needs and SOPs (standard operating procedures) that affect employee departures.
As with so many changes, we have to be careful about how we remove users from the network. While it is unlikely that a user will return, it's certainly possible. At a minimum, their data need to be protected. That means their Outlook data, locally stored files, personalized database data, and so forth. Even after the user's logon has been disabled and deleted, some of their data will remain and you need to be able to find it.
Reading through this procedure, you'll notice that the keyword here is "deliberate." That means you're going to go slow, be careful, and don't make anything irreversible until it needs to be.
Step One. Request to Disable or Delete a User From The Network
When a Client has an employee or contractor leave the company, there is a standard list of steps to be taken. The nature of the user exit must be determined in case there are additional actions to be taken. If there are security concerns, a more immediate response is required in disabling the account.
Of course all actions must be within a service request. So you must create a service request in your PSA as soon as you receive a request from the client.
- Communicate with the client contact to determine the best action based on their situation and needs.
- If there is any reason to believe the employee or contractor exit is hasty and un-amicable take all necessary action to protect the client and their system first.
- Determine Nature of user Exit.
- If necessary, disable the users account right away and change the password.
- Compose and send an email to the client contact using the template "Request to disable or delete a user from the network - Initial Request" from the email templates directory. Make sure a copy of this gets into the service request.
Step Two: Disabling or Deleting a User From The Network
Note: After the user is deleted from the network, do not run the Exchange mailbox cleanup agent until a full backup has gone off site for the month.
Once you have received the reply with all the required information, proceed as follows:
- Change the departing user's domain account password. In general, it's a good practice to change the password or disable the account and leave it that way for 30 days. The final step will be to wait 30 days and then delete the account.
- If necessary, change passwords for other existing accounts that user may have access to. This includes financial programs, databases, line of business applications, etc.
- Document the password changes.
- Reassign the user's SMTP addresses in Exchange as outlined in the client contacts email.
- Reassign the user's SMTP addresses in the email spam filter as outlined in the client contacts email.
- Delete the user's Email spam filter account.
- Log onto the user's workstation as the departing user.
- Export all of the user's email to a single archive file named "User_Name>'s archived email YYYYMMDD.pst".
- - Note: Do not use encrypt the file or use a password. You'll be storing it on a secure network drive.
- Move (not copy) the .pst file to the clients "\Archived Email" directory.
- Assign user access to the.pst as outlined in the client contacts email. (Default is to assign Everyone)
- Move (not copy) the users data from My Documents, Desktop and anywhere else it may be located on the workstation to the server "\Archived Users Data\'s archived data" directory.
- Move (not copy) the users data from their Users personal folder on the network to the server "\Archived Users Data\'s archived data" directory. Do not move My Music, My Pictures or My Videos unless explicitly requested by the client.
- The directory structure would look like this:
- Company Data\ Archived Users Data\Tom's archived data\My Documents
- Company Data\ Archived Users Data\Tom's archived data\Desktop
- Company Data\ Archived Users Data\Tom's archived data\Users folder
- Assign user access to these directories and files as outlined in the client contacts email. (Default is to assign Everyone)
- Removed the user contact from the PSA system.
- Compose and send an email to the client contact using the template "Request to disable or delete a user from the network - Request Completed" from the email templates directory.
- Change the service request status to "Schedule" and schedule it for 30 days in the future. The final action in the service request should be:
- - Remove the user from the domain and be certain the checkbox is checked to "Remove user's home folder".
The first thing you need to do is to create your version of this checklist. In many cases, you'll want to personalize this for every client. Just as with New PC checklists and many other tasks, having client-specific checklists (and folders) will make you much more efficient.
After you create your checklist, you need to write up your version of this process. You might not use email and a ticketing system as we do. So make sure the process flow works for you.
Finally, you'll need to train your technicians and then remind them that you have this process when it's needed. Clients don't lose people very often, so you might not use this procedure very often. It's important to remember you have it! Not only that, but you will need to be extremely careful in your documentation because no one in your company will get a chance to use this all the time. That means it needs to be written well enough for a first-timer to follow.
The templates mentioned in this procedure are below.
Your Comments Welcome.
- - - - -
,
This email is to request information regarding the Service Request to disable or delete a user from the network. This information is required to proceed.
Our normal procedure is as follows:
1) Disable the user account so no one can log in as that user.
2) Redirect their internet email to someone else in the company if need be.
3) Export all of their email to a single archive file in a public directory on the server.
4) Move all the company data the user may have had on their workstation to public directories on the server.
5) Delete the user from the network.
We need the following to proceed:
1) What is the users full name?
2) What is the name of the computer they have been using?
3) If the user's internet email is still to be accepted, to which user should we point it?
4) When we export all of their current and old email to a single archive file, who will need access to it? Note: Typically we do not restrict access to the archive file.
5) Where should we move any company data we find in the user’s personal folders or on their workstation? Note: Typically we put it into the most public file area on the server so it can be sorted and assimilated.
6) Is there any reason this user should not be completely deleted from the system?
Thank you.
- - - - -
,
We have completed your Service Request to disable or delete a user from the network.
The user has been deleted.
The user's internet email has been redirected to.
The users email has been exported to a single archive file called’s archived email YYYYMMDD.pst in the \Archived Email directory.
The following users have access to the file: Everyone
Remember, only one user can have the file open at any given time.
The user's data has been moved from their personal folder on the server and their workstation to the\Archived Users Data\’s archived data directory.
The following users have access to these files: Everyone
If there is anything else we can do for you please give us a call.
Thank you.
- - - - -
About this Series
Obviously, employees leave for lots of reasons. They take new jobs, get married, move for family reasons, get fired, get promoted to another office, etc. So departures need to be handled differently. In addition, companies have different security needs and SOPs (standard operating procedures) that affect employee departures.
As with so many changes, we have to be careful about how we remove users from the network. While it is unlikely that a user will return, it's certainly possible. At a minimum, their data need to be protected. That means their Outlook data, locally stored files, personalized database data, and so forth. Even after the user's logon has been disabled and deleted, some of their data will remain and you need to be able to find it.
Reading through this procedure, you'll notice that the keyword here is "deliberate." That means you're going to go slow, be careful, and don't make anything irreversible until it needs to be.
Procedure for Users Exit from a Company
When a Client has an employee or contractor leave the company, there is a standard list of steps to be taken. The nature of the user exit must be determined in case there are additional actions to be taken. If there are security concerns, a more immediate response is required in disabling the account.
Of course all actions must be within a service request. So you must create a service request in your PSA as soon as you receive a request from the client.
- Communicate with the client contact to determine the best action based on their situation and needs.
- If there is any reason to believe the employee or contractor exit is hasty and un-amicable take all necessary action to protect the client and their system first.
- Determine Nature of user Exit.
- If necessary, disable the users account right away and change the password.
- Compose and send an email to the client contact using the template "Request to disable or delete a user from the network - Initial Request" from the email templates directory. Make sure a copy of this gets into the service request.
Step Two: Disabling or Deleting a User From The Network
Note: After the user is deleted from the network, do not run the Exchange mailbox cleanup agent until a full backup has gone off site for the month.
Once you have received the reply with all the required information, proceed as follows:
- Change the departing user's domain account password. In general, it's a good practice to change the password or disable the account and leave it that way for 30 days. The final step will be to wait 30 days and then delete the account.
- If necessary, change passwords for other existing accounts that user may have access to. This includes financial programs, databases, line of business applications, etc.
- Document the password changes.
- Reassign the user's SMTP addresses in Exchange as outlined in the client contacts email.
- Reassign the user's SMTP addresses in the email spam filter as outlined in the client contacts email.
- Delete the user's Email spam filter account.
- Log onto the user's workstation as the departing user.
- Export all of the user's email to a single archive file named "User_Name>'s archived email YYYYMMDD.pst".
- - Note: Do not use encrypt the file or use a password. You'll be storing it on a secure network drive.
- Move (not copy) the .pst file to the clients "
- Assign user access to the.pst as outlined in the client contacts email. (Default is to assign Everyone)
- Move (not copy) the users data from My Documents, Desktop and anywhere else it may be located on the workstation to the server "
- Move (not copy) the users data from their Users personal folder on the network to the server "
- The directory structure would look like this:
- Company Data\ Archived Users Data\Tom's archived data\My Documents
- Company Data\ Archived Users Data\Tom's archived data\Desktop
- Company Data\ Archived Users Data\Tom's archived data\Users folder
- Assign user access to these directories and files as outlined in the client contacts email. (Default is to assign Everyone)
- Removed the user contact from the PSA system.
- Compose and send an email to the client contact using the template "Request to disable or delete a user from the network - Request Completed" from the email templates directory.
- Change the service request status to "Schedule" and schedule it for 30 days in the future. The final action in the service request should be:
- - Remove the user from the domain and be certain the checkbox is checked to "Remove user's home folder".
Implementation Notes
The first thing you need to do is to create your version of this checklist. In many cases, you'll want to personalize this for every client. Just as with New PC checklists and many other tasks, having client-specific checklists (and folders) will make you much more efficient.
After you create your checklist, you need to write up your version of this process. You might not use email and a ticketing system as we do. So make sure the process flow works for you.
Finally, you'll need to train your technicians and then remind them that you have this process when it's needed. Clients don't lose people very often, so you might not use this procedure very often. It's important to remember you have it! Not only that, but you will need to be extremely careful in your documentation because no one in your company will get a chance to use this all the time. That means it needs to be written well enough for a first-timer to follow.
The templates mentioned in this procedure are below.
Your Comments Welcome.
- - - - -
Email Template: Request to disable or delete a user from the network
HelloThis email is to request information regarding the Service Request to disable or delete a user from the network. This information is required to proceed.
Our normal procedure is as follows:
1) Disable the user account so no one can log in as that user.
2) Redirect their internet email to someone else in the company if need be.
3) Export all of their email to a single archive file in a public directory on the server.
4) Move all the company data the user may have had on their workstation to public directories on the server.
5) Delete the user from the network.
We need the following to proceed:
1) What is the users full name?
2) What is the name of the computer they have been using?
3) If the user's internet email is still to be accepted, to which user should we point it?
4) When we export all of their current and old email to a single archive file, who will need access to it? Note: Typically we do not restrict access to the archive file.
5) Where should we move any company data we find in the user’s personal folders or on their workstation? Note: Typically we put it into the most public file area on the server so it can be sorted and assimilated.
6) Is there any reason this user should not be completely deleted from the system?
Thank you.
- - - - -
Template: Request to disable or delete a user from the network - Completed
HelloWe have completed your Service Request to disable or delete a user from the network.
The user
The user's internet email has been redirected to
The users email has been exported to a single archive file called
The following users have access to the file: Everyone
Remember, only one user can have the file open at any given time.
The user's data has been moved from their personal folder on the server and their workstation to the
The following users have access to these files: Everyone
If there is anything else we can do for you please give us a call.
Thank you.
- - - - -
SOP Friday - or Standard Operating System Friday - is a series dedicated to helping small computer consulting firms develop the right processes and procedures to create a successful and profitable consulting business.
Find out more about the series, and view the complete "table of contents" for SOP Friday at http://www.smallbizthoughts.com/events/SOPFriday.html.
- - - - -
Next week's topic: Patch Management Philosophy and Procedures
:-)
| Check Out the #1 ranked Managed Services book at Amazon: Managed Services in A Month by Karl W. Palachuk Buy it as a printed book, Audio book, or ebook! |
No comments:
Post a Comment
Feedback Welcome
Please note, however, that spam will be deleted, as will abusive posts.
Disagreements welcome!