Link to home
Start Free TrialLog in
Avatar of Pau Lo
Pau Lo

asked on

temp staff AD maintenance best practice

Do you have any specific best practices or processes you follow when it comes to management of your AD user list when employees are temporary. From a security angle there are routine reports provided by HR in relation to users who have left employment, or transferred to a new role. But often temp/agency staffs are not recorded in your HR system at all so slip the net. Just wondering what controls you have in place to ensure temp agency staff are effectively maintained, e.g. deleted once their temporary contract has ended.
Avatar of John
John
Flag of United Kingdom of Great Britain and Northern Ireland image

I require all customers to tell me when an employee leaves so I can clean up.  

I also ensure that all managers know how to change a password and I explain to them that when an employee leaves, they need to change it immediately and then let me know so I can do my bit.  

I usually pull up a scare story of "that one customer" I had where an ex employee deleted files and sent rude emails out from their user account because no-one had changed their password.
ASKER CERTIFIED SOLUTION
Avatar of Daryl Bamforth
Daryl Bamforth
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I think you have the wrong end of the stick when it comes to my suggestion of having the manager change the passwords.  

Most managers I work for, when someone leaves, either have 1) the user press [ctrl][alt][del] while logged in and changes the password immediately, 2) (Usual method) has the password given to them and changes the password or 3) rings me to change the password.  

In any of those usage cases,  I don't see how it is a security risk.  

Another scenario that happens is I get a call asking to reset the password at a set time to correspond with an employee dismissed.  

I have one customer where the owner/manager has access to HIS OWN server and changes the password at the server.  Again, I don't see it as a security risk.  

Maybe one of these methods will suit the OP

If a large company puts users in an OU and delegate permission to set a password for their staff, then I don't see that as a security risk either.  I'd expect the business to have done due diligence and decided they could trust that manager.  This is NOT however what I was suggesting.  

If the OP was in a business large enough for this to be a security problem, I daresay, they'd have a large IT team, a set of procedures and this question would never have been raised.
SOLUTION
Avatar of btan
btan

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Best practices as requested.