Unfortunately, we don’t only hire new employees all the time: for a company with 200 people it’s normal that someone occasionally leaves the company. Most leave on good terms, to take the next step in their career or to go back to university for a master’s degree. A few leave because they’re not a good fit for our corporate culture. But no matter why someone leaves Paessler, we must always ensure a clean and accurate offboarding.
The process for offboarding is quite similar to the onboarding process, but it’s more time critical, since we need to find exactly the right time to close the employee’s account. Closing it too early means that the colleague can’t finish his job, closing it too late means that someone who doesn’t work for Paessler anymore has access to our internal systems. In most cases that wouldn’t mean any significant danger, because most people leave as friends. However, since we’re talking about sensitive data which could endanger our company’s future, it’s better to take it seriously and to work as thoroughly as possible.
The Process
When an employee is about to leave, he will usually inform his team lead and HR. HR will then open a ticket for IT to let us know that a colleague is leaving, including the date for that person’s last day at work. Usually HR will ensure that he returns any equipment he had received from Paessler, such as mobile phones, laptops, or monitors for his home office. We in the IT team have to ensure that the returned hardware is checked and then set back to its original settings so we can give it to new employees, if possible.
The more serious task is to delete the user profile and close all accounts at the right time. Therefore, we wrote another script that works, more or less, in the opposite direction of the onboarding script.
The script includes:
1. Resetting the account password to a random, 30-character string
2. Converting the mailbox into a shared mailbox
3. Removing all groups
4. Moving the user to a special OU
5. Removing or deactivating licenses
6. Replicating them in the domain and in Exchange
7. Disabling ActiveSync, IMAP and PoP in Office365
8. Setting status to “Sign in Blocked” in Office 365
9. Disabling the user
This list will be a little bit different for each environment, but following a similar process will help you ensure consistent and timely cleanup when someone leaves your company.