60

We have been using a company to administer our (small office) IT infrastructure. We don't have complete records of what has been done or hasn't been done and don't know what we need to ask for in order to pick this up ourselves. Is there a good "checklist of things to make sure you get" for people in this situation? (Windows OS product keys, installation media(?), domain controller admin password, etc.)

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
albiglan
  • 1,033
  • 8
  • 11
  • 17
    You might consider having the old IT company overlap the new IT company for a month, if they will do it. – jftuga May 23 '12 at 19:49
  • 1
    This actually happened a year ago :-) Asking for future reference and figured it would be good to have this answer in the forum! – albiglan May 24 '12 at 02:36

6 Answers6

61
  1. All passwords (for all devices, applications and accounts).
  2. All records relating to software, licensing and media (including purchase order history/proof).
  3. All media (including installation media and live data backups).
  4. All documentation, including,
    • Server, hardware, network (including IP addresses) and operating system configurations.
    • Details of processes and procedures (e.g. adding users, create new mailboxes, etc.)
    • Information on any automated / manually triggered jobs (backups, housekeeping, etc.)
    • Review the documentation beforehand and have them make improvements if you have questions or find missing/old information.
  5. Details of any third party contracts they might have taken out for support that you may need to take on / take out yourself (e.g. hardware maintenance).
  6. Any physical / VPN / secure access items (badges, keys, tokens, fobs, etc.)
  7. Information about telecom accounts
  8. Logins to any websites you might need. (Download software, open support cases.. )
  9. Account information related to domain name registrations, details of registrars used, etc.
  10. Copies of any security certificates, and the relevant key phrases. Ensure the old supplier also destroys their copies.

And once this is all done - change all the passwords.

EightBitTony
  • 9,211
  • 1
  • 32
  • 46
  • 14
    Badge, keys, tokens, fobs for VPN/NOC/Building access. – jscott May 23 '12 at 19:22
  • Can I ask for an edit to the answer to list out devices to ask for passwords for? (e.g. "Domain controller, managed switch, ...") Great list! – albiglan May 23 '12 at 20:36
  • 2
    Shamelessly copying bullet points from the other answers to this one, since this seems to be the favored answer so far. (also, IMHO, the other "in addition" answers should have probably been edits to this anyway) – EEAA May 23 '12 at 20:44
  • 5
    I've also seen a lot of companies install a customer remote desktop/support software on the company computers that you may want to have them uninstall. Sometimes these are customized VNC programs that were scripted on and can be clunky to manually remove. – Bad Dos May 23 '12 at 21:14
  • @ErikA it's a collaborative answer site, feel free to edit the answer and make it better. I don't recall shamelessly copying bullet points from other answers, but I did incorporate information from some of the comments to my answer (and I upvoted the relevant comment). – EightBitTony May 23 '12 at 21:43
  • @albiglan I don't think you should restrict the question for passwords to specific devices, I think you should ask the IT company all passwords. I actually think you should have a solid contract in place before you engage the company so that this doesn't come up at the end - but we're past that point. – EightBitTony May 23 '12 at 21:44
  • @EightBitTony - yes, I know. That's why I added those bullets to your answer. I've been around the block a few times here. :) – EEAA May 23 '12 at 21:46
  • I know you have which is why your claim of me shamelessly adding bullet points seems a little hollow. I've tidied the list up, merging duplicates. I don't understand #7 and #9 if someone else wants to clarify them. – EightBitTony May 23 '12 at 21:48
  • 2
    No, I was not directing that at you, I was commenting on my own action of shamelessly adding. :) – EEAA May 24 '12 at 00:05
  • @EightBitTony Was more thinking it would be helpful to have the list o stuff for people. Some people might not know/remember switches, WAPs, PBX systems, etc. all have PW's also ErikA... Really love the collaboration on the answer! – albiglan May 24 '12 at 02:39
  • 2
    @ErikA my apologies for being over sensitive. – EightBitTony May 24 '12 at 07:17
  • 1
    You could probably add: 11) Document all scheduled automated and non-automated procedures such as backups and 12) document all ad-hoc procedures, such as creating new users, opening mailboxes ETC – Zlatko May 24 '12 at 10:38
16

In addition:

Account information related to domain registrations.

Dan Is Fiddling By Firelight
  • 647
  • 3
  • 16
  • +1 - this is a good one. I've just been through the situation of wrangling ownership of a domain back from a rogue IT person who registered it on behalf of a company. – Mark Henderson May 23 '12 at 21:52
9

In addition to those that you mentioned...

  • static IPs of all devices/servers (so you know what devices you need to manage)
  • information about telecom accounts
  • all other passwords for all devices and services (the domain admin account isn't the only one)
Bigbio2002
  • 2,763
  • 11
  • 34
  • 51
9

in addition:

Logins to any websites you might need. (Download software, open support cases.. )

MichelZ
  • 11,008
  • 4
  • 30
  • 58
6

All of the answers so far have been awesome.

Ensure that you have purchase records for Licenses. Some that you may not think of include Small Business Server (SBS) CALs, SQL Server Licenses, Terminal Services Licenses. Also if your servers have Out-Of-Band Management (HP's iLO, Dell's DRAC, etc), ensure that you are provided with those license keys.

Ensure that you have any SSL Certs for websites, email, logins, etc.

Be prepared to do a password reset fire-drill. I would audit services and scheduled tasks that don't run as a builtin account (such as Local System, Network Service accounts). (If I remember, I'll dig up the audit tools that I've written at a previous gig.)

Also, it behooves you to audit the licenses. Ensure that they are registered to your company, not the IT Service Provider. Also important is ensuring that they are appropriate licenses for the use; I am validating that MSDN SQL licenses are not being used in Production environments. Action Packs, Microsoft Subscriptions, Gold Reseller memberships and such give great benefits such as free licenses, but they are restricted as to where and how they can be used.

By way of enabling you to behoovulence, here's some help:

Here is a script that I've had sitting around that I've released that will report services running on machines that are not running under a builtin service account.

GitHub:gWaldo:ListServices

gWaldo
  • 11,887
  • 8
  • 41
  • 68
1

PIN/Password for phone accounts if you have a corporate account with a cellular carrier.

If you have remote management tools for tablets/phones, software and passwords to the management console.

Eric Cloninger
  • 149
  • 3