Thanks, guys (and gals)!
Roger Wright Network Administrator 727.572.7076 x388 ____ This is the tomorrow you worried about yesterday. And now you know why. From: Sherry Abercrombie [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 25, 2008 11:33 AM To: NT System Admin Issues Subject: Re: Termination Process Documentation from our Data Center Admin Sharepoint site, it includes screenshots of the specifics mentioned. Wednesday, December 20, 2006 9:05 AM Procedures for Disabling User Accounts 1. In the account properties, on the "Account Tab" place check mark in the "Account is Disabled" box. 2. On the "Member Of" tab, look for any distribution groups and remove them, this will remove user from distribution lists. 3. On the email address tab, uncheck the "Automatically update email addresses....". Click on the smtp address that is for [EMAIL PROTECTED] "http://notprimarydomain.com"notprimarydomain.com and click on the "set as primary address", then click on the [EMAIL PROTECTED] "http://primarydomain.com"primarydomain.com smtp address and remove it. 4. On the "Exchange Advanced" tab mark the check box by "Hide from Global Address List" 5. On the same tab, click on the mailbox rights tab and follow these procedures taken from Microsoft KB 319047: On the View menu in the Active Directory Users and Computers snap-in, click Advanced Features. On the Exchange Advanced properties tab of the disabled user object that owns the mailbox, click Mailbox Rights, and then search the list of accounts for one that has the Associated External Account permission. If no account has this permission, grant the SELF Account, Associated External Account, and Full Mailbox Access permissions. Note The SELF account is available in all Microsoft Windows 2000 domains. All SELF accounts share a well-known SID that is the same across all domains. If the SELF account is not already listed in the Permissions dialog box, you can add it by typing SELF as the account name. If the SELF account or another account currently has Associated External Account permissions, remove the Associated External Account permissions from that account. Only one account at a time can have the Associated External Account permission. Therefore, to reset the permission, you must first remove this permission. Exit all properties dialog boxes for the user object. To do this, click OK at each level. Do not click Cancel. Changes to permissions are not applied until you exit all properties dialog boxes. After the DsAccess cache is refreshed, the new configurations take effect. E-mail messages that are sent to the disabled account no longer generate NDRs. Pasted from <http://support.microsoft.com/kb/319047/en-us> 6. In ADUC, look for a folder named: Microsoft Exchange System Objects. If it doesn't show up, make sure you have the advanced view selected. In this folder you will find a distribution group called "NDRs". Open the properties for this group and go to E-mail addresses tab. On this tab click on the "New" button. On the new address window, double click on SMTP Address In this window type in the full smtp address of the account you just disabled Click OK. This will add the external email address to a distribution list that goes nowhere, which will eliminate NDRs. 7. Check for remote access accounts in VPN and Shiva and delete those accounts. These procedures were written at a managers request so that he could disable accounts when it was requested of him, hence the very detailed step by step procedures. We very rarely have a manager request access to former employees files & email. Sometimes that happens prior to termination and in that event, the manager must have the chief officer over them give IT approval to do that. We do have in our company policy that is given to all employees a statement to the fact that all data saved on company servers and desktop computers is the property of the company and not subject to any kind of privacy, including email. On Tue, Mar 25, 2008 at 9:52 AM, Terry Dickson <HYPERLINK "mailto:[EMAIL PROTECTED]"[EMAIL PROTECTED]> wrote: These can be highly Company specific. When I know in advance I do a backup of the user's PC ASAP, and usually after hours. We have had a few people that "knew" in advance and started deleting stuff. I also either eliminate the account or disable it. Our best practices "guide" calls for everyone in the department where employee worked to change PW. Since it is only a guide it is not always followed. Check all systems user has access to, especially web based ones to disable or change PW on. -----Original Message----- From: Roger Wright [mailto:HYPERLINK "mailto:[EMAIL PROTECTED]"[EMAIL PROTECTED] Sent: Tuesday, March 25, 2008 9:35 AM To: NT System Admin Issues Subject: Termination Process Do any of you have a process you can share for IT responsibilities when employees are terminated? I.E., disabling the account, archiving PST and Document files, removing account from DLs, etc.? Roger Wright Network Administrator 727.572.7076 x388 ____ The only problem with seeing too much is that it makes you insane. --Phaedrus Picture (Device Independent Bitmap) ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ -- Sherry Abercrombie "Any sufficiently advanced technology is indistinguishable from magic." Arthur C. Clarke ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
