Pau Lo
asked on
temp staff AD maintenance best practice
Do you have any specific best practices or processes you follow when it comes to management of your AD user list when employees are temporary. From a security angle there are routine reports provided by HR in relation to users who have left employment, or transferred to a new role. But often temp/agency staffs are not recorded in your HR system at all so slip the net. Just wondering what controls you have in place to ensure temp agency staff are effectively maintained, e.g. deleted once their temporary contract has ended.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I think you have the wrong end of the stick when it comes to my suggestion of having the manager change the passwords.
Most managers I work for, when someone leaves, either have 1) the user press [ctrl][alt][del] while logged in and changes the password immediately, 2) (Usual method) has the password given to them and changes the password or 3) rings me to change the password.
In any of those usage cases, I don't see how it is a security risk.
Another scenario that happens is I get a call asking to reset the password at a set time to correspond with an employee dismissed.
I have one customer where the owner/manager has access to HIS OWN server and changes the password at the server. Again, I don't see it as a security risk.
Maybe one of these methods will suit the OP
If a large company puts users in an OU and delegate permission to set a password for their staff, then I don't see that as a security risk either. I'd expect the business to have done due diligence and decided they could trust that manager. This is NOT however what I was suggesting.
If the OP was in a business large enough for this to be a security problem, I daresay, they'd have a large IT team, a set of procedures and this question would never have been raised.
Most managers I work for, when someone leaves, either have 1) the user press [ctrl][alt][del] while logged in and changes the password immediately, 2) (Usual method) has the password given to them and changes the password or 3) rings me to change the password.
In any of those usage cases, I don't see how it is a security risk.
Another scenario that happens is I get a call asking to reset the password at a set time to correspond with an employee dismissed.
I have one customer where the owner/manager has access to HIS OWN server and changes the password at the server. Again, I don't see it as a security risk.
Maybe one of these methods will suit the OP
If a large company puts users in an OU and delegate permission to set a password for their staff, then I don't see that as a security risk either. I'd expect the business to have done due diligence and decided they could trust that manager. This is NOT however what I was suggesting.
If the OP was in a business large enough for this to be a security problem, I daresay, they'd have a large IT team, a set of procedures and this question would never have been raised.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Best practices as requested.
I also ensure that all managers know how to change a password and I explain to them that when an employee leaves, they need to change it immediately and then let me know so I can do my bit.
I usually pull up a scare story of "that one customer" I had where an ex employee deleted files and sent rude emails out from their user account because no-one had changed their password.