LOL Thanks Steve. When you're documenting a procedure for a not so
technical manager, you want to make it idiot proof.
On Tue, Mar 25, 2008 at 10:39 AM, Steve Ens <[EMAIL PROTECTED]> wrote:
Nicely done Sherry! I guess everything IS bigger in Texas, even
the documentation.
On Tue, Mar 25, 2008 at 10:32 AM, Sherry Abercrombie
<[EMAIL PROTECTED]> wrote:
Documentation from our Data Center Admin Sharepoint
site, it includes screenshots of the specifics mentioned.
Wednesday, December 20, 2006
9:05 AM
Procedures for Disabling User Accounts
1. In the account properties, on the "Account Tab"
place check mark in the "Account is Disabled" box.
2. On the "Member Of" tab, look for any distribution
groups and remove them, this will remove user from distribution lists.
3. On the email address tab, uncheck the
"Automatically update email addresses....". Click on the smtp address
that is for [EMAIL PROTECTED] and click on the "set as primary
address", then click on the [EMAIL PROTECTED] smtp address and remove
it.
4. On the "Exchange Advanced" tab mark the check box
by "Hide from Global Address List"
5. On the same tab, click on the mailbox rights tab
and follow these procedures taken from Microsoft KB 319047:
On the View menu in the Active Directory Users and
Computers snap-in, click Advanced Features.
On the Exchange Advanced properties tab of the disabled
user object that owns the mailbox, click Mailbox Rights, and then search
the list of accounts for one that has the Associated External Account
permission.
If no account has this permission, grant the SELF
Account, Associated External Account, and Full Mailbox Access
permissions.
Note The SELF account is available in all Microsoft
Windows 2000 domains. All SELF accounts share a well-known SID that is
the same across all domains. If the SELF account is not already listed
in the Permissions dialog box, you can add it by typing SELF as the
account name.
If the SELF account or another account currently has
Associated External Account permissions, remove the Associated External
Account permissions from that account.
Only one account at a time can have the Associated
External Account permission. Therefore, to reset the permission, you
must first remove this permission.
Exit all properties dialog boxes for the user object. To
do this, click OK at each level. Do not click Cancel.
Changes to permissions are not applied until you exit
all properties dialog boxes.
After the DsAccess cache is refreshed, the new
configurations take effect. E-mail messages that are sent to the
disabled account no longer generate NDRs.
Pasted from
<http://support.microsoft.com/kb/319047/en-us>
6. In ADUC, look for a folder named: Microsoft
Exchange System Objects. If it doesn't show up, make sure you have the
advanced view selected.
In this folder you will find a distribution group called
"NDRs". Open the properties for this group and go to E-mail addresses
tab. On this tab click on the "New" button.
On the new address window, double click on SMTP Address
In this window type in the full smtp address of the
account you just disabled
Click OK. This will add the external email address to a
distribution list that goes nowhere, which will eliminate NDRs.
7. Check for remote access accounts in VPN and Shiva
and delete those accounts.
These procedures were written at a managers request so
that he could disable accounts when it was requested of him, hence the
very detailed step by step procedures. We very rarely have a manager
request access to former employees files & email. Sometimes that
happens prior to termination and in that event, the manager must have
the chief officer over them give IT approval to do that. We do have in
our company policy that is given to all employees a statement to the
fact that all data saved on company servers and desktop computers is the
property of the company and not subject to any kind of privacy,
including email.
On Tue, Mar 25, 2008 at 9:52 AM, Terry Dickson
<[EMAIL PROTECTED]> wrote:
These can be highly Company specific. When I
know in advance I do a
backup of the user's PC ASAP, and usually after
hours. We have had a
few people that "knew" in advance and started
deleting stuff. I also
either eliminate the account or disable it. Our
best practices "guide"
calls for everyone in the department where
employee worked to change PW.
Since it is only a guide it is not always
followed.
Check all systems user has access to, especially
web based ones to
disable or change PW on.
-----Original Message-----
From: Roger Wright [mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 25, 2008 9:35 AM
To: NT System Admin Issues
Subject: Termination Process
Do any of you have a process you can share for
IT responsibilities when
employees are terminated? I.E., disabling the
account, archiving PST
and Document files, removing account from DLs,
etc.?
Roger Wright
Network Administrator
727.572.7076 x388
____
The only problem with seeing too much is that it
makes you insane.
--Phaedrus
Picture (Device Independent Bitmap)
~ Upgrade to Next Generation Antispam/Antivirus
with Ninja! ~
~
<http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
--
Sherry Abercrombie
"Any sufficiently advanced technology is
indistinguishable from magic."
Arthur C. Clarke
--
Sherry Abercrombie
"Any sufficiently advanced technology is indistinguishable from magic."
Arthur C. Clarke
LOL there is no idiot proof, they will find a better idiot :-)
Z
Edward E. Ziots
Network Engineer
Lifespan Organization
MCSE,MCSA,MCP,Security+,Network+,CCA
Phone: 401-639-3505
-----Original Message-----
From: Sherry Abercrombie [mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 25, 2008 11:47 AM
To: NT System Admin Issues
Subject: Re: Termination Process
~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~
~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
