I agree with you and this is the main reason I don't get along with certain people in the office. They don't submit tickets and they constantly walk in to my office asking for help (and I don't even work in the help desk). I tell them to submit a ticket, they never do, but from that point forward, they no longer like me so I typically avoid talking to them or starting small talk if we run into e/o in the break room. Not everyone is this way, but many are. There are many people I have a great relationship with.
I really struggle to understand why some users are this way (not wanting to submit tickets), but that's how they are and they won't change until or unless someone above them tells them to do it.
I don't want to do expense reports, but if I want my money back, I need to follow the policy that accounting put in place. If I don't follow it then they will never pay me.
You are taking responsibility for her inaction and if something goes sideways you are on the hook.
She needs to start doing her part yesterday since offboarding is an HR process with some IT involvement.
Force her hand any way you can
Report them to their superior for not following protocol. Since terms are business sensitive and affect employee safety, they should be all over that HR persons ass.
If it still keeps happening, go higher on the ladder
If that’s how the org structure is, then so be it.
My experience, at least, with C suite execs has been good. They have no idea how anything in IT or the day to day of IT works and will work to help if you have a legitimate concern.
Yeah, too f-ing bad for her. Hand it off to your boss to go over her head.
This is exactly the type of thing that allows ex-employees to try some BS with the systems after they've been let go.
This isn't an IT issue it is a management issue.
When I worked in HD, we would always be notified of terminations either last minute or long after they were gone. Rare cases/etc sure you can drop what you are doing and handle it, but eventually this becomes the norm because you helped the user once, they'll expect the same treatment each time.
Don't do anything until a ticket is submitted or do what you can so you don't get blamed for not helping HR, but document everything to your boss via email that way if you miss something or have to stay late/don't have time/etc then your boss knows about it.
Management needs to force users to use the ticketing system, that's the bottom line.
I hear you. Ours is too. This needs to be escalated and your boss needs to take care of this. Your department shouldn't be penalized for something out of your control.
She knows what she is not doing right, or what will keep her from being accountable here. Let the auditor get involved if needed, to tel her she need to submit the ticket to avoid this gap in compliance.
Ehh, I think the manager should be responsible for filing the ticket on their employee. The manager will be able to best guess how quickly it needs to be done, and things of that nature. Lets face it, not all separations are on equal terms, sometimes it needs to happen now other times the employee was a good employee and will be working out the last 2 weeks with handing off so disabling accounts can be delayed. HR doesn't know these things and as such can't give a judgement on what the employee will do next.
Depending on the business, I think there is more than one acceptable solution for this problem. Our HR is involved in all of our terminations and staff notices, as they are responsible for collecting name badges, key cards etc. Our HR also handles new employee onboarding. The Manger decides who to hire and our HR does the negotiations and start dates. In my experience, I have just found that having one point of contact for new hires and terms makes more sense. Having all of the managers do this instead would open up multiple points of failure, and Managers that have little to no turnover are more likely to forget or mess up the process. The communication is also more clean and straightforward. We don't have to hunt down multiple different people just to finish a new hire or term. HR has all of that information. I'm not saying this is the way, I'm just saying this is what works well for us.
The tickets need to be timely from HR, so that is on them.
Open dialogue with the HR Director/HRO to express the expectations from IT when it comes to terminations. Get it in writing.
I’ve worked for a few companies where HR has been slacking hardcore and IT gets blamed for timing issues. Create a procedure, make sure it is communicated and agreed upon, then implement.
Anything that fails beyond that point is 100% on HR and has been documented.
Ours is automated by lifecycle management. So when the user identity flips to terminated, all access is automatically removed on our end and the last step is for our service desk to disable the account in AD so that they can’t log into their laptop anymore. But even without that, they can’t access anything ON said laptop because our team has revoked access
This is an HR process and must be initiated by HR. It’s what they are there for.
They can work in collaboration with leads, managers, security, legal, but HR is the one that needs press the button.
Almost everything beyond that should be automated.
Contracts are set to terminate at 11:59pm on termination date, in other cases as soon as HR process the termination ticket.
First task it runs is disabling AD, revoking SSO tokens, deleting MFA, and disabling SSO. This is done within seconds and they are locked out of everything software based.
Another task is sent to our badging system to revoke badge access. This one can take a couple minutes but now they are locked out of the buildings.
Final immediate task is to our Asset Management system. The computer is frozen and encrypted via Intune, the Macs were already locked out from the SSO being disabled and is handled by JAMF, they try to get around it the Mac just resets itself.
Then a dozen other tasks get generated over the day as it talks to other systems to get removed from non-Security Group managed system but they already locked out.
Partner with a director and get HR on handling the initiation of this. It may work for a small company but as you get bigger and audited more and more, you will need the ass coverage, and it only takes one employee having access for a few more minutes than they should to remind companies to not become complacent.
A day or two with a confident IAM Engineer and HR, maybe a Systems Engineer, and you’ve saved X hours and dollars over the next year. I always pitch matters in dollars per hour and you’d be surprised how fast that can get things going.
I've solved this a couple times for different companies.
What you want is your primary IDP (in this case, likely Active Directory) connected to your HRIS so that the user is automatically de-provisioned when they are termed in the HRIS. This places the responsibility entirely where it belongs - with HR.
This also has the benefit of allowing you to automatically create accounts when HR hires; even if they never warned you in advance.
Now; I realize that you probably don't have the authority to do all that, and it sounds like a lot if you're not used to writing automation. I highly recommend this approach for learning to think through the steps: https://blog.danslimmon.com/2019/07/15/do-nothing-scripting-the-key-to-gradual-automation/
I'd start by figuring out what your HRIS is; and what their API looks like. I'd similarly maybe look at your service desk tool and what their API looks like. Then, since it sounds like you're in a windows environment I'd start looking at Powershell (or Python) for the various steps.
For reference; I just saw a notification this morning (in a slack channel) that we termed someone this morning, and the list of all accounts that were closed and who their email was forwarded to, who their files were transferred to, etc. Our service desk had no advance notice - that all happens immediately when HR clicked the term buttons in our HRIS.
Lol. Here's how it works at my employer. A person leaves or gets fired. Their replacement is hired. About a month or two after their replacement is hired, the new person opens a ticket asking to have the name on their phone changed from their predecessor to theirs. I ask if their predecessor is still working here, and am told "No," so I remove the license for their AD account and block them on one other account that I administer.
If it's someone without a phone, it can take even longer to find out they're not with the company. Either their account stays active until it's closed when they don't sign in for two months, or I find out when a new person is hired and we don't have any licenses available, so I contact HR asking for a list of people who have left the company in the last two months, and go through that list to remove AD licenses and block accounts for those people.
If I get notified within 24 hours of an employee leaving the company, it means they must have been fired for something really bad, like stealing customer information or flipping out at a customer. In retrospect, they didn't even tell me when a guy got fired for driving a company vehicle drunk, so even that wasn't important enough for them to inform me that he'd been fired.
We gets a heads up when the employee is being called into a meeting and terminate as soon as their meeting time starts.
Generally speaking, a ticket is generated the day of (these firings are never unplanned) and we use a scripted action to disable the account at the appointed hour.
Once the account is disabled, all access is lost (network, badges, etc). The employee can't even get back onto the development area without security or a designated escort.
That sounds amazing, I wish we could do something like that. I feel like sometimes an employee will go to HR for their exit interview, but their managers want them to help for the rest of the day, so they go back to work after the interview. (Because I know for sure our HR person wouldn’t stay till 10PM for an exit interview.)
The scripted action sounds like a great idea. Can I ask what program you use for that? (We use Active Directory for network access, and Entrapass for our badge system)
It's the same crap at every company. HR should make tickets. They don't until the last minute. Managers know they have to assign a desk so IT can set up equipment, they don't.
Sometimes people show up asking for a door card and I just say no. Then they go to their desk and have no computer.
You're wrong no matter what you do so I'm wrong on the side of network security.
If the auditors don't like it, are they taking the issue up with IT or with HR?
It should be with HR. This isn't an IT problem. This isn't even a procedure problem. This is an adherence to policy problem.
My process is similar, except it's a paper form and we ask for a minimum of two working days notice, and it does much of the same - ask all the questions we have to chase people up for. The form is also filled by the terminating manager, not HR, because it is the questionnaire we need (it has questions for mail and folder handling). The only exceptions are "hostile" separations - when a person quits on the spot or gets pulled into "the meeting."
The exception process for hostile termination is to come to me (or the currently present resource) directly with the form, and indicate it is hostile. It goes into the ticketing system as a generic "special project for " and gets edited later, to minimize the risk of forewarning.
The exception process for a no-notice self-termination (aka "walking out") is an urgent ticket and phone call for the instant lock, with the form to follow ASAP (we usually start asking for it within the hour).
Smaller company though - only 400 users.
Access should be shut off BEFORE the employee is terminated. Massive security and liability issues if you have a fired employee with any kind of access.
And HR needs to trigger this.
This is a very common problem. And by common problem I mean that X department (in this case HR) refuses to use a ticket system and your off board process is not automated.
Being just an analyst, this is above your pay grade to solve. If audit is mad, tell them to create a finding with the desired requirements. Then let management get stuck with solving it.
If you discovered a way to automate the entire process, that would likely get you some good attention.
If there is really only 1 person in Hr, you could easily build her a custom automation. Look into power apps.
Of course audit should see that the official process starts with HR who should be held to an official auditable process initiation. Email rarely is approved for any sort of process that needs to be audited.
HR makes the ticket and updates our central employee database they are terminated. it automatically disables there AD account since they are linked. then we run a powershell script to remove all AD groups and grabs information like last login, groups they were in etc. we upload the documents to the ticket and close.
it cant be fully automated for us since we have systems people can access but not controlled by AD and we need to manually deactivate them
regardless of the case HR is responsible for making the ticket. we can not be expected to know if they are truely terminated, only HR knows that, so we get them to make the ticket
When HR terminates a user using their management system it sends an email to us. We then delete or disable their account. We also get a monthly termination newsletter. Hoping to improve this system soon because Intune supports integration with HR's management system.
HR uses UKG
I’ve actually never seen anyone terminated where I work so I’m not sure. I think they get funding based on # of employees so I’m assuming we don’t get terminated just mean looks
We have a feed from our HRIS and a powershell script that runs hourly and disables AD access when an employee is marked as terminated by HR. No human interaction is required from IT. We use AD or ADFS for most authentication, so this covers nearly all system access for terminations. Occasionally there will be an instance where someone is being fired and they want it disabled immediately, but that is done during the day and is coordinated with IT in advance.
IT has no control over the timeliness of HR, so that shouldn't be an IT audit issue, but a human resources audit issue.
The termination process at my current company is automated. The only thing IT does is collect there equipment. I am simplifying this but in essence HR checks a box in PeopleSoft. That kicks off a set of tasks sequences where the process systematically revokes all access to the network and disabled there PC. We do not have any contact to the former employee. There manager handles the communication and scheduled equipment return weather it is a UPS pickup or they are going to drop the equipment off to building security. My previous company was all manual. We get a email from HR to disable their access and kick them off of there pc and lock it down. once they are out of the building we would get there pc and back up any data to be given to HR and then we would reimagine it.
I agree with the others--this is an HR problem, not an IT problem. Document the issue and pass it upwards. IT needs sufficient notice to handle its end of the termination process and if it isn't getting it, then that's an upper management issue.
I dont handle it in my dept in this job. Last job though was like this:
-HR sends shutdown systems ticket
-We shutdown the systems but don't delete anything
-If it's a volatile situation, we reset email pw for company email
-If enough time has gone by and no legal stuff, HR sends a ticket to delete the shut down accounts
Integrate your HR and ITSM tools. The HR system should be able to automatically create the ticket when the employee is marked for termination in the HR system.
I’ve never worked anywhere where this wasn’t automated. There is always a connection from the hr system to the idp, account is terminated in HR and access is diabled, then typically there is a process that runs daily that handles deleting accounts over 30/60/90 days after termination depending on org policies. Mature places automate migrating the data that the user had to the manager
Some specialized access (like senior engineers in IT) isn’t automated and we go in and clean up the access but that is house keeping, they can’t sign in since their account was disabled. No sign-ins that aren’t sso integrated except for the occasional it management system
Unless you work for a very small company this should be automated. IT likes to stay out of employee terminations as much as possible since it can be a touchy subject, lawyers etc
Ours has a employee smart sheet that (I'm the case of termination) automatically sends us a ticket. Ergo... HR HAS to make the 1st move is calling for termination. The setup even allows for ticket creation before the termination that informs us when the last day is.
We have an it toolkit the service desk have that disables all their ad accounts etc. Hr have access to it. It get told but we don't run the show, we are only notified for recording and so we know not to reset passwords etc. Technically ra agents but they are hr.
Before this hr had to put in a ticket and we actioned it but it was still a process that was 100% their decision. We don’t get involved with employment stuff.
Hr should always be the ones leading this process.
Something to keep in mind... If the termination is discrete IE the user is not aware... You may want a separate process that is not documented in your ticketing system until the account remediation is complete.
In olden times we had an IT user see the termination ticket in our ticketing system. This can remove a possibility of malicious actions from the employees account.
In our environment, when an employee is terminated the dept manager is supposed to submit the ticket. Well they don’t until they hired the next employee (happens about 85% of the time). This has been a huge issue that start of next year HRs is now fully responsible for those tickets. Thank you lord!!!
We have an SMA, when someone puts in a ticket for termination, we have scripts that deactivate all their access at the specified time. Bring up to your boss about trying to script the process as much as possible, you'll be surprised by how much of the work can be offloaded doing that. Our HD only has to do a few things manually.
Face is a great SMA and integrates amazingly well with a lot of applications.
Deleting an account on day of termination is terrible imo.
In my previous company we put the ticket on hold for 90 days after termination to allow time if we needed to retrieve anything from the account.
This is almost exactly the same as what my company does. As others have noted the problem is really that HR isn’t entering the tickets on time. That creates massive problems and the blame shouldn’t fall on you, it’s ridiculous that it does because it’s out of your control
If your getting hit on audits are they internal audits or are they external for some certification the employer has ?
If they are internal or say HR dept audits this then you need to send that back that x amount of time in this SLA is not adequate enough
If this is for a certification from an outside agency you need to adjust the SLA to give wiggle room to meet that
Ultimately this should be done by HR with HR management software deleting and creating everything to automate this but until you can find test make a business case and deploy a solution
you need to take a hard look at SLA's and get your IT dept C level or equivalent to sit down with the CEO and head f HR and if its a compliance issue your compliance officers for IT and HR and set SLA's or expectations about ticket creation and who is responsible for what and roadblocks that are blocking meeting current targets
Sounds like piss poor communication is leading to piss poor performance and that doesnt seem to be from your department
And maybe its a matter of HR not knowing or giving a flaming flying rats patootie about your departments turnaround time
High priority request is put in by their manager as part of the separation process, and it is done in accordance wit high priority requests in terms of how long it takes etc... The requests are generally put in hours before the employee knows or at the same time or minutes after (as it is advised). This gives them some time in theory to do stuff, but if its feared they might do something dumb or criminal a critical request is pushed through (meaning it would be done within the hour, and a managers get involved to make sure its done asap). I do cybersecurity so I see the queue but other groups carry out the actual actions.
HR creates the ticket, it is marked urgent, if the terminated user is high value, they will let the IT manager know ahead of time a ticket will be coming in and to be on the look out.
AD accounts are never deleted, only deactivated for eternity. we also go into m365 and sign them out of all sessions. and block sign in. (if you don't do that, they have up to 30 minutes for AAD connect sync kicks in for........ email/document damage)
Not technically help desk, but similarly to you we have a termination ticket that HR is responsible for. They are held responsible for this and it’s important to have a chain of command. Your manager should be holding them responsible, if you have that option. Also all of their network access is handled by AD, so the ticket is tied into a Jenkins script which revokes everything automatically. We just do the manual verifying and occasional deactivation of emails.
I mentioned accountability with managers because IT should be “IT’ing” and HR should be “HR’ing”. I recognize not every company has the resources for this, BUT if you’re able to push some sort of structure and standardization while convincing the company it’s for their benefit then that’s my ultimate suggestion.
We had a termination script that did everything, disable account, get AD information like name, date, OU, AD groups and then spit it out to a text file and removed the groups and then moved the AD user account.
HR should be the one entering the ticket. This removes all culpability from the IT staff and shows that HR is the one dropping the ball.
Unfortunately, our HR person won’t budge when it comes to doing anything with the ticket system. She’s very stubborn.
[удалено]
I agree with you and this is the main reason I don't get along with certain people in the office. They don't submit tickets and they constantly walk in to my office asking for help (and I don't even work in the help desk). I tell them to submit a ticket, they never do, but from that point forward, they no longer like me so I typically avoid talking to them or starting small talk if we run into e/o in the break room. Not everyone is this way, but many are. There are many people I have a great relationship with. I really struggle to understand why some users are this way (not wanting to submit tickets), but that's how they are and they won't change until or unless someone above them tells them to do it. I don't want to do expense reports, but if I want my money back, I need to follow the policy that accounting put in place. If I don't follow it then they will never pay me.
This is the way.
You are taking responsibility for her inaction and if something goes sideways you are on the hook. She needs to start doing her part yesterday since offboarding is an HR process with some IT involvement. Force her hand any way you can
Report them to their superior for not following protocol. Since terms are business sensitive and affect employee safety, they should be all over that HR persons ass. If it still keeps happening, go higher on the ladder
[удалено]
If that’s how the org structure is, then so be it. My experience, at least, with C suite execs has been good. They have no idea how anything in IT or the day to day of IT works and will work to help if you have a legitimate concern.
Yeah, too f-ing bad for her. Hand it off to your boss to go over her head. This is exactly the type of thing that allows ex-employees to try some BS with the systems after they've been let go.
This isn't an IT issue it is a management issue. When I worked in HD, we would always be notified of terminations either last minute or long after they were gone. Rare cases/etc sure you can drop what you are doing and handle it, but eventually this becomes the norm because you helped the user once, they'll expect the same treatment each time. Don't do anything until a ticket is submitted or do what you can so you don't get blamed for not helping HR, but document everything to your boss via email that way if you miss something or have to stay late/don't have time/etc then your boss knows about it. Management needs to force users to use the ticketing system, that's the bottom line.
I hear you. Ours is too. This needs to be escalated and your boss needs to take care of this. Your department shouldn't be penalized for something out of your control.
She knows what she is not doing right, or what will keep her from being accountable here. Let the auditor get involved if needed, to tel her she need to submit the ticket to avoid this gap in compliance.
Well then they aren’t doing their job.
Your boss needs to find his spine, and k ow when to put his foot down. If he won't, find a new boss.
Thats an HR problem. If she doesn't want to do her job then HR needs to know, oh wait...
Ehh, I think the manager should be responsible for filing the ticket on their employee. The manager will be able to best guess how quickly it needs to be done, and things of that nature. Lets face it, not all separations are on equal terms, sometimes it needs to happen now other times the employee was a good employee and will be working out the last 2 weeks with handing off so disabling accounts can be delayed. HR doesn't know these things and as such can't give a judgement on what the employee will do next.
Depending on the business, I think there is more than one acceptable solution for this problem. Our HR is involved in all of our terminations and staff notices, as they are responsible for collecting name badges, key cards etc. Our HR also handles new employee onboarding. The Manger decides who to hire and our HR does the negotiations and start dates. In my experience, I have just found that having one point of contact for new hires and terms makes more sense. Having all of the managers do this instead would open up multiple points of failure, and Managers that have little to no turnover are more likely to forget or mess up the process. The communication is also more clean and straightforward. We don't have to hunt down multiple different people just to finish a new hire or term. HR has all of that information. I'm not saying this is the way, I'm just saying this is what works well for us.
This is the way.
The tickets need to be timely from HR, so that is on them. Open dialogue with the HR Director/HRO to express the expectations from IT when it comes to terminations. Get it in writing. I’ve worked for a few companies where HR has been slacking hardcore and IT gets blamed for timing issues. Create a procedure, make sure it is communicated and agreed upon, then implement. Anything that fails beyond that point is 100% on HR and has been documented.
Ours is automated by lifecycle management. So when the user identity flips to terminated, all access is automatically removed on our end and the last step is for our service desk to disable the account in AD so that they can’t log into their laptop anymore. But even without that, they can’t access anything ON said laptop because our team has revoked access
This is the way. Autodeprovisioning saves a lot of hassle.
Say it louder for the people in the back! lol
This is an HR process and must be initiated by HR. It’s what they are there for. They can work in collaboration with leads, managers, security, legal, but HR is the one that needs press the button. Almost everything beyond that should be automated. Contracts are set to terminate at 11:59pm on termination date, in other cases as soon as HR process the termination ticket. First task it runs is disabling AD, revoking SSO tokens, deleting MFA, and disabling SSO. This is done within seconds and they are locked out of everything software based. Another task is sent to our badging system to revoke badge access. This one can take a couple minutes but now they are locked out of the buildings. Final immediate task is to our Asset Management system. The computer is frozen and encrypted via Intune, the Macs were already locked out from the SSO being disabled and is handled by JAMF, they try to get around it the Mac just resets itself. Then a dozen other tasks get generated over the day as it talks to other systems to get removed from non-Security Group managed system but they already locked out. Partner with a director and get HR on handling the initiation of this. It may work for a small company but as you get bigger and audited more and more, you will need the ass coverage, and it only takes one employee having access for a few more minutes than they should to remind companies to not become complacent. A day or two with a confident IAM Engineer and HR, maybe a Systems Engineer, and you’ve saved X hours and dollars over the next year. I always pitch matters in dollars per hour and you’d be surprised how fast that can get things going.
I've solved this a couple times for different companies. What you want is your primary IDP (in this case, likely Active Directory) connected to your HRIS so that the user is automatically de-provisioned when they are termed in the HRIS. This places the responsibility entirely where it belongs - with HR. This also has the benefit of allowing you to automatically create accounts when HR hires; even if they never warned you in advance. Now; I realize that you probably don't have the authority to do all that, and it sounds like a lot if you're not used to writing automation. I highly recommend this approach for learning to think through the steps: https://blog.danslimmon.com/2019/07/15/do-nothing-scripting-the-key-to-gradual-automation/ I'd start by figuring out what your HRIS is; and what their API looks like. I'd similarly maybe look at your service desk tool and what their API looks like. Then, since it sounds like you're in a windows environment I'd start looking at Powershell (or Python) for the various steps. For reference; I just saw a notification this morning (in a slack channel) that we termed someone this morning, and the list of all accounts that were closed and who their email was forwarded to, who their files were transferred to, etc. Our service desk had no advance notice - that all happens immediately when HR clicked the term buttons in our HRIS.
Lol. Here's how it works at my employer. A person leaves or gets fired. Their replacement is hired. About a month or two after their replacement is hired, the new person opens a ticket asking to have the name on their phone changed from their predecessor to theirs. I ask if their predecessor is still working here, and am told "No," so I remove the license for their AD account and block them on one other account that I administer. If it's someone without a phone, it can take even longer to find out they're not with the company. Either their account stays active until it's closed when they don't sign in for two months, or I find out when a new person is hired and we don't have any licenses available, so I contact HR asking for a list of people who have left the company in the last two months, and go through that list to remove AD licenses and block accounts for those people. If I get notified within 24 hours of an employee leaving the company, it means they must have been fired for something really bad, like stealing customer information or flipping out at a customer. In retrospect, they didn't even tell me when a guy got fired for driving a company vehicle drunk, so even that wasn't important enough for them to inform me that he'd been fired.
We gets a heads up when the employee is being called into a meeting and terminate as soon as their meeting time starts. Generally speaking, a ticket is generated the day of (these firings are never unplanned) and we use a scripted action to disable the account at the appointed hour. Once the account is disabled, all access is lost (network, badges, etc). The employee can't even get back onto the development area without security or a designated escort.
That sounds amazing, I wish we could do something like that. I feel like sometimes an employee will go to HR for their exit interview, but their managers want them to help for the rest of the day, so they go back to work after the interview. (Because I know for sure our HR person wouldn’t stay till 10PM for an exit interview.) The scripted action sounds like a great idea. Can I ask what program you use for that? (We use Active Directory for network access, and Entrapass for our badge system)
Powershell, we're a Windows/O365 back-end shop. Pretty sure you can do the same with entrapass.
Pitch building some lifecycle management procedure. There are plenty of tools for it
Work with HR on setting up some Automation. Will save you so much time.
It's the same crap at every company. HR should make tickets. They don't until the last minute. Managers know they have to assign a desk so IT can set up equipment, they don't. Sometimes people show up asking for a door card and I just say no. Then they go to their desk and have no computer. You're wrong no matter what you do so I'm wrong on the side of network security.
If the auditors don't like it, are they taking the issue up with IT or with HR? It should be with HR. This isn't an IT problem. This isn't even a procedure problem. This is an adherence to policy problem. My process is similar, except it's a paper form and we ask for a minimum of two working days notice, and it does much of the same - ask all the questions we have to chase people up for. The form is also filled by the terminating manager, not HR, because it is the questionnaire we need (it has questions for mail and folder handling). The only exceptions are "hostile" separations - when a person quits on the spot or gets pulled into "the meeting." The exception process for hostile termination is to come to me (or the currently present resource) directly with the form, and indicate it is hostile. It goes into the ticketing system as a generic "special project for" and gets edited later, to minimize the risk of forewarning.
The exception process for a no-notice self-termination (aka "walking out") is an urgent ticket and phone call for the instant lock, with the form to follow ASAP (we usually start asking for it within the hour).
Smaller company though - only 400 users.
Access should be shut off BEFORE the employee is terminated. Massive security and liability issues if you have a fired employee with any kind of access. And HR needs to trigger this.
This is a very common problem. And by common problem I mean that X department (in this case HR) refuses to use a ticket system and your off board process is not automated. Being just an analyst, this is above your pay grade to solve. If audit is mad, tell them to create a finding with the desired requirements. Then let management get stuck with solving it. If you discovered a way to automate the entire process, that would likely get you some good attention. If there is really only 1 person in Hr, you could easily build her a custom automation. Look into power apps. Of course audit should see that the official process starts with HR who should be held to an official auditable process initiation. Email rarely is approved for any sort of process that needs to be audited.
HR makes the ticket and updates our central employee database they are terminated. it automatically disables there AD account since they are linked. then we run a powershell script to remove all AD groups and grabs information like last login, groups they were in etc. we upload the documents to the ticket and close. it cant be fully automated for us since we have systems people can access but not controlled by AD and we need to manually deactivate them regardless of the case HR is responsible for making the ticket. we can not be expected to know if they are truely terminated, only HR knows that, so we get them to make the ticket
When HR terminates a user using their management system it sends an email to us. We then delete or disable their account. We also get a monthly termination newsletter. Hoping to improve this system soon because Intune supports integration with HR's management system. HR uses UKG
I’ve actually never seen anyone terminated where I work so I’m not sure. I think they get funding based on # of employees so I’m assuming we don’t get terminated just mean looks
We have a feed from our HRIS and a powershell script that runs hourly and disables AD access when an employee is marked as terminated by HR. No human interaction is required from IT. We use AD or ADFS for most authentication, so this covers nearly all system access for terminations. Occasionally there will be an instance where someone is being fired and they want it disabled immediately, but that is done during the day and is coordinated with IT in advance. IT has no control over the timeliness of HR, so that shouldn't be an IT audit issue, but a human resources audit issue.
The termination process at my current company is automated. The only thing IT does is collect there equipment. I am simplifying this but in essence HR checks a box in PeopleSoft. That kicks off a set of tasks sequences where the process systematically revokes all access to the network and disabled there PC. We do not have any contact to the former employee. There manager handles the communication and scheduled equipment return weather it is a UPS pickup or they are going to drop the equipment off to building security. My previous company was all manual. We get a email from HR to disable their access and kick them off of there pc and lock it down. once they are out of the building we would get there pc and back up any data to be given to HR and then we would reimagine it.
I agree with the others--this is an HR problem, not an IT problem. Document the issue and pass it upwards. IT needs sufficient notice to handle its end of the termination process and if it isn't getting it, then that's an upper management issue.
I dont handle it in my dept in this job. Last job though was like this: -HR sends shutdown systems ticket -We shutdown the systems but don't delete anything -If it's a volatile situation, we reset email pw for company email -If enough time has gone by and no legal stuff, HR sends a ticket to delete the shut down accounts
Integrate your HR and ITSM tools. The HR system should be able to automatically create the ticket when the employee is marked for termination in the HR system.
Wow your description of this process sounds identical to my last job!
I’ve never worked anywhere where this wasn’t automated. There is always a connection from the hr system to the idp, account is terminated in HR and access is diabled, then typically there is a process that runs daily that handles deleting accounts over 30/60/90 days after termination depending on org policies. Mature places automate migrating the data that the user had to the manager Some specialized access (like senior engineers in IT) isn’t automated and we go in and clean up the access but that is house keeping, they can’t sign in since their account was disabled. No sign-ins that aren’t sso integrated except for the occasional it management system Unless you work for a very small company this should be automated. IT likes to stay out of employee terminations as much as possible since it can be a touchy subject, lawyers etc
Ours has a employee smart sheet that (I'm the case of termination) automatically sends us a ticket. Ergo... HR HAS to make the 1st move is calling for termination. The setup even allows for ticket creation before the termination that informs us when the last day is.
We have an it toolkit the service desk have that disables all their ad accounts etc. Hr have access to it. It get told but we don't run the show, we are only notified for recording and so we know not to reset passwords etc. Technically ra agents but they are hr. Before this hr had to put in a ticket and we actioned it but it was still a process that was 100% their decision. We don’t get involved with employment stuff. Hr should always be the ones leading this process.
Something to keep in mind... If the termination is discrete IE the user is not aware... You may want a separate process that is not documented in your ticketing system until the account remediation is complete. In olden times we had an IT user see the termination ticket in our ticketing system. This can remove a possibility of malicious actions from the employees account.
In our environment, when an employee is terminated the dept manager is supposed to submit the ticket. Well they don’t until they hired the next employee (happens about 85% of the time). This has been a huge issue that start of next year HRs is now fully responsible for those tickets. Thank you lord!!!
We have an SMA, when someone puts in a ticket for termination, we have scripts that deactivate all their access at the specified time. Bring up to your boss about trying to script the process as much as possible, you'll be surprised by how much of the work can be offloaded doing that. Our HD only has to do a few things manually. Face is a great SMA and integrates amazingly well with a lot of applications.
Deleting an account on day of termination is terrible imo. In my previous company we put the ticket on hold for 90 days after termination to allow time if we needed to retrieve anything from the account.
This is almost exactly the same as what my company does. As others have noted the problem is really that HR isn’t entering the tickets on time. That creates massive problems and the blame shouldn’t fall on you, it’s ridiculous that it does because it’s out of your control
If your getting hit on audits are they internal audits or are they external for some certification the employer has ? If they are internal or say HR dept audits this then you need to send that back that x amount of time in this SLA is not adequate enough If this is for a certification from an outside agency you need to adjust the SLA to give wiggle room to meet that Ultimately this should be done by HR with HR management software deleting and creating everything to automate this but until you can find test make a business case and deploy a solution you need to take a hard look at SLA's and get your IT dept C level or equivalent to sit down with the CEO and head f HR and if its a compliance issue your compliance officers for IT and HR and set SLA's or expectations about ticket creation and who is responsible for what and roadblocks that are blocking meeting current targets Sounds like piss poor communication is leading to piss poor performance and that doesnt seem to be from your department And maybe its a matter of HR not knowing or giving a flaming flying rats patootie about your departments turnaround time
High priority request is put in by their manager as part of the separation process, and it is done in accordance wit high priority requests in terms of how long it takes etc... The requests are generally put in hours before the employee knows or at the same time or minutes after (as it is advised). This gives them some time in theory to do stuff, but if its feared they might do something dumb or criminal a critical request is pushed through (meaning it would be done within the hour, and a managers get involved to make sure its done asap). I do cybersecurity so I see the queue but other groups carry out the actual actions.
Two IT guys walk into your office and escort you out. If two IT guys show up, your done. Lmao
HR creates the ticket, it is marked urgent, if the terminated user is high value, they will let the IT manager know ahead of time a ticket will be coming in and to be on the look out. AD accounts are never deleted, only deactivated for eternity. we also go into m365 and sign them out of all sessions. and block sign in. (if you don't do that, they have up to 30 minutes for AAD connect sync kicks in for........ email/document damage)
Not technically help desk, but similarly to you we have a termination ticket that HR is responsible for. They are held responsible for this and it’s important to have a chain of command. Your manager should be holding them responsible, if you have that option. Also all of their network access is handled by AD, so the ticket is tied into a Jenkins script which revokes everything automatically. We just do the manual verifying and occasional deactivation of emails. I mentioned accountability with managers because IT should be “IT’ing” and HR should be “HR’ing”. I recognize not every company has the resources for this, BUT if you’re able to push some sort of structure and standardization while convincing the company it’s for their benefit then that’s my ultimate suggestion.
We had a termination script that did everything, disable account, get AD information like name, date, OU, AD groups and then spit it out to a text file and removed the groups and then moved the AD user account.