0
I already have procedures in place to remove a user from our domain when they leave their role. In many cases, it's as simple as removing the user from AD.
Should I go further, for example, by deleting their user folder on their PC?
I have googled 'Decommission Windows User', but there doesn't seem to be any documentation or best practices...
3-14159265358979323846264
Posted 2018-08-20T10:37:37.767
Reputation: 83
1
Part of this is a legal or human resources question. Did the user leave on good terms or under a cloud of suspicion? Do other users taking over their role need access to files? Is email involved, and if so, is it subject to potential litigation? In an extreme case, could deleting their files be considered destruction of evidence? Those aren't technical issues.
On the technical side, disabling the account (not even deleting it) will generally block most access. I have to say "most" because today's mobile, connected world there are a lot of things being cached and synchronized. The user could use cached credentials to log in to a computer that is disconnected from a network.
One important technical issue to be aware of, is that ActiveSync (the most common way for phones to access Exchange) can allow access to the mailbox after the account is disabled. (See https://blogs.technet.microsoft.com/messaging_with_communications/2012/06/26/part-i-disabled-accounts-and-activesync-devices-continuing-to-sync/)
In cases of "urgent dismissal", I'd recommend having a checklist (which can then be scripted) that covers all of the technical and manual steps that you (the IT department) and others (people like HR, physical Security, etc.) need to do if someone leaves the company suddenly. That checklist can then be vetted and approved by management or legal as well. Some starting points are in that blog from Joe Schaeffer.
You can search for topics like "Termination Checklist" for samples.
bph
Posted 2018-08-20T10:37:37.767
Reputation: 46
Thanks for your insight. To me, this seems like a perfectly valid concern, and a reasonable question to ask. I will check out that blog, and i will also follow your advice to google termination checklist :0) – 3-14159265358979323846264 – 2018-08-21T09:39:45.770
This is entirely up to you. – Ramhound – 2018-08-20T11:16:12.703
What problem are you trying to solve? Are you concerned disabling the AD user account isn't sufficient to block their access? – I say Reinstate Monica – 2018-08-20T11:30:15.733
I would hope that removing a user from AD would be enough to block their access, at least on a machine that was connected to the DC! But I was wondering if there are any other sensible/well known steps that I should follow other than removing the account. If there are none, then I will still be happy! – 3-14159265358979323846264 – 2018-08-20T15:29:32.080
@DavidPostill. Do you have any recommendations as to where I should post this sort of question, as it cannot be reworded? If i google superuser, the description is "Super User is a question and answer site for computer enthusiasts and power users". Surely this is a power user question, and sometimes a collection of opinions is actually the best answer you could ask for. Is my question not relevant in the power user arena? – 3-14159265358979323846264 – 2018-08-21T09:37:06.973