What is best-practice for ex-employees?

In Business, Cloud by Ryan, Professional ServicesLeave a Comment

Someone is no longer at your company – what’s next? Do you wipe the computer, change passwords? We find this to be a blurred topic with people, which is why we tend to deal with it for our clients, and internally.

We have broken our methods into 5 steps that are best-practice and resolve any outstanding issues, such as data leakage or access which is no longer applicable.

Make no mistake, this isn’t our “top 5 ways to fire people”, but when you do have to streamline, or someone leaves you do need to quickly address some key security matters.

1. Access lockdown

Sound cool?
Revoking access to company data is the most important process when someone leaves your company. Depending on your business, you may have multiple systems that you need to remove access to.  This can be problematic if they multiple services such as on-premises Active Directory as well as Cloud services such as Office 365 and Concur.

However, with Azure Active Directory, you are able to implement SSO (Single Sign-On) which will allow you to log in to thousands of third-party apps using the same credentials as you use to log on to your office PC or to Office 365 online. This means that all you need to do if a user leaves is disable one account.

No more of that painstaking checking of every app in silos, it can be done through one management.


However: It is important to consider when a user leaves is that they may know other users’ passwords or shared passwords (such as for the company Facebook page).

These are often left unchanged which means that the leaver can still log in and, with the example of Facebook, post messages as your company! So make sure you understand users privileges while they are there, so that when they leave, you can make the relevant changes.

2. Set presence

For emails it is always a good idea to make sure that when someone emails a leaver an Automatic Reply is set up. This ensures that they are informed of the recipients change in status.
It’s therefore a good idea to supply alternate contact information, so that you can still help satisfy the requirements of outsiders.

As a practical example: a clients who is trying to email leavers are not left wondering why someone is not getting back to them from your company.

3. Archive data

Before you delete a leaver’s accounts, it’s important to ensure you have an archive of any data they stored. For example, you can export Exchange mailboxes to a .PST file or use a feature in Office 365 called “in-place hold” to ensure that the emails are retained within the Cloud.

This is useful in the event that you need to find a certain email they sent. The last place you want to be is scrawling through archives to find an email you thought you were included in.

It’s also a good idea to check their office computer for any data they may have left behind so that a copy can be retained.

4. Clean up

In addition to steps 1-3, it’s always valuable to go through the PC they were using and remove the profile from their PC (once you have archived the data, of course). This ensures that if another person tries to use the computer, there isn’t any confidential data left behind from the previous user.

Through restoring the device, you will hopefully also make it slightly quicker!

5. Document

A final best practice to consider is to document exactly what has been done – this provides a full audit trail so that you can ensure everything was completed correctly.

This also means that someone (usually a more senior member of staff) can check through the leaver request to ensure that everything has been completed as per the policy.

We also think that through documenting, we can ensure that no matter what technology or software leavers had used, we can correctly respond to it.


Well that’s our thoughts – we’d love to hear what your approach is, comment below.

Written by James Wade | Service Desk Analyst, RedPixie | See more of the support team

Read next…

Leave a Comment