| Poll |
| Do you disable AD user accounts before complete deletion |
| Yes, I disable the user for a while before deleting |
 
|
83% |
[ 15 ] |
| No, I delete the user straight away |
|
6% |
[ 1 ] |
| Sometimes, depending on the chance of re-hiring the employee |
|
11% |
[ 2 ] |
| I don't have Active Directory... :-( |
|
0% |
[ 0 ] |
| Total Votes : 18 |
|
| Author |
Message |
![[Post New]](/Sysforums/templates/default/images/icon_minipost_new.gif) 07/01/2009 06:45:44
|
Joseph Zargari
VP Customer Relations
Joined: 26/03/2006
Messages: 516
Offline
|
Hello,
We are having a bit of a brainstorming about administrators' habits.
When an employee leaves (quits, gets fired, retires, etc), we want to know if you disable the user account for some period before completely deleting it or if you delete the user straight away.
This is something that we are very interested about to guide us in future development...
|
|
|
07/01/2009 07:31:36
|
techguy
SysAid Mod
Joined: 11/06/2008
Messages: 1506
Location: England
Offline
|
Yes I always disable for a while first as we often get incorrect leaving dates or the employee stays on a few extra days, or their manager suddenly needs to refer to something they worked on.
|
Need help? Try the SysAid wiki first! - http://sites.google.com/site/sysaidwiki |
|
|
07/01/2009 10:13:09
|
Lev
SysAid Mod
Joined: 18/08/2008
Messages: 508
Location: Haifa, Israel
Offline
|
We keep the user disabled for a while (long while).
Users got mails, network folder with files ... .
Maybe to his mail come some important data and you want to redirect for a while ...
|
DONT !!! DONT TOUCH THE KEYBOARD !!! |
|
|
16/01/2009 14:31:50
|
CCSO IT
Super SysAider
Joined: 05/09/2008
Messages: 54
Offline
|
We usually kill off the username right away so that we dont go in and wonder why the account was disabled, etc. Also the sensitive nature of law enforcement data and all, we would rather be 100% sure they are no longer in the system.
|
Thanks,
Thomas Hardin
Microcomputer Specialist
Clackamas County Sheriff's Office |
|
|
18/01/2009 16:13:51
|
Roadblockx
SysAider
Joined: 03/01/2009
Messages: 25
Offline
|
Great question.
As the Sr. Engineer for a gov agency (state prosecutors), security is the top priority. When our dept receives an account to be deleted, the first step is always to disable it first. To ensure that the account isn't left in that state, we add in the account's comment/description field "To be deleted > POC xxxx" where POC is the point of contact and xxx is the name of the person handling the deletion. The ticket is assigned to someone on the security team which becomes the POC. After two weeks (10 business days), the requestor of the account is notified that the account will be deleted (last chance). At that point, if no response is received to stop the deletion, the user's account is backed up and deleted.
A lot of steps but it was implemented after a couple of "opps" and I didn't want to see my name as the admin that lead to a data breach!
|
|
|
18/01/2009 16:16:03
|
Roadblockx
SysAider
Joined: 03/01/2009
Messages: 25
Offline
|
I failed to mention one other step. When the account is disabled, the tech adds a date to the dept's calendar for the user account to be deleted. That way if the tech is not there that day, the manager or I will be notified and we can kill the account ourselves. We had to add this step after doing an audit and finding 30+ accounts with "to be deleted > POC xxx" and the tech assigned was no longer there!
This message was edited 1 time. Last update was at 18/01/2009 16:16:18
|
|
|
20/01/2009 10:09:24
|
rascal
SysAider
Joined: 17/06/2008
Messages: 11
Location: Brixen, Italy
Offline
|
Yes, we disable the user account.
We have a checklist with various tasks (Export Mail to an *.pst file, disable account, change password, etc.)
After 60 Days the user account will be deleted.
|
|
|
21/01/2009 03:59:51
|
Tim Sutton
Super SysAider
Joined: 15/07/2008
Messages: 64
Offline
|
our "leaving user" policy runs something like this on the IT side:
1. User account is removed from any sec groups, password changed and a e-mail out of office set up with who to contact instead. User account is moved into a "retired users" OU which has a really restrictive GPO applied.
2. User's machine is imaged off, image is archived onto DVD / archive server, machine is then reimaged with the company standard and apps deployed ready for reissue to someone.
3. after 2 weeks the account is completely disabled and their e-mail account is exmerged and then stored on DVD / archive server
4. a further 2 weeks down the line and the account is deleted.
that's the plan at least  lol
|
|
|
![[Up]](/Sysforums/templates/default/images/icon_up.gif){kind=icon}
