March 2012 IT Business Consulting Newsletter

Departing Employee? How to Process them Gracefully and Securely

By Tom K

A departing employee can be a nightmare or, if you have pre-defined policies and procedures in place, it can be a simple inconvenience.

The depth of those procedures and policies can change depending on the employee’s position on the Organization Chart and whether the employee is leaving with blessings or in handcuffs.

In this month’s newsletter I outline some of the key policies and procedures you should have in place to ease the challenges of a departing employee, and describe how their implementation might be altered depending on the circumstances of the termination.

Pre-defined Policies

You should have several pre-defined polices in place to simplify the Departing Employee (DE) process. These policies should:

  • Define your rights to access the DE’s emails and files
  • Prohibit the DE from deleting any emails or files
  • Prohibit the installation of Remote Access applications on Company resources
  • Define the structure and use of a digital company document filing system
  • Limit employee data access to files and resources necessary to their job function
  • Limit access to core Administrator/Admin account credentials
  • Establish a rigorous Data Backup strategy

I have discussed many of these policies in previous newsletters:

The "Employee IT Use & Abuse Policies" article (Jan 2012) discusses creating an employee policy that clearly states that any information created, stored, or processed on Company computers becomes the exclusive property of the Company. This gives you complete rights to all the DE’s emails and files, and prohibits the DE from deleting or removing any emails or files, as they are the property of the Company.

This policy also prohibits the installation of any applications (and specifically Remote Access apps) on Company PCs without written authorization from Management.

If you have a properly designed Company/Department/User document filing strategy in place, very few documents will end up in a user’s private storage space as most documents should belong to a department and will be filed within the department’s storage space. This will greatly reduce the number of files in the DE’s private space that would need to be reviewed and re-filed. See the "Simplify Data Organization and User Management" article (Nov 2010) for more details.

This article also discusses simple methods for setting user permissions within the filing structure so users only have access to documents and resources they need to perform their job. If they can’t access it, they can’t damage or delete it.

No staff should have knowledge of core Administrator account passwords unless absolutely necessary. The core Administrator/Admin account credentials are used in multiple instances tucked deep within the servers. If you ever have to change the Administrator/Admin password, finding and updating all the associated instances can be a challenge. Anyone requiring administrative level access should have their user account rights elevated by making the user a member of the appropriate administrative group. I’ll discuss this in more detail in a future article. (See "Protect Your Admin Accounts", May 2012)

That employee leaving in handcuffs may have already trashed a few select files, or everything he could hit with a delete key. A solid Backup System will mitigate this potential destruction. See the "Backup the Company Jewels" article (Oct 2010) for an in-depth discussion of Backup Systems and Strategies.

Pre-defined Procedures

These are some of the procedures you should have in place to simplify the Departing Employee process. These procedures should be documented, and should be summarized in a “Departing Employee IT Checklist”. You should have a similar set of procedures and checklist for HR.

User Account

Change the DE’s Network Password immediately, but keep the account active. This will retain all the DE’s email and documents for review, but locks the DE out of all Company resources, including her email and documents.

Log her out of all network resources to deactivate her old password.

VPN Accounts

VPN systems often use account IDs and Passwords independent from the network ID/Password systems. Ensure the DE’s VPN accounts are deleted.

Additional Accounts

Depending on the DE’s position (and policies) in your Company, she may have access to Administrative accounts and passwords. If so, you need to determine which accounts she has access to, and change those passwords. As noted above, you will need to track down all instances in your servers where these credentials are used for underlying support and management functions, and change them for every instance.

User PCs & Laptops, and Servers

Check for any installed Remote Access applications (LogMeIn, GoToMyPC, etc) on every device the DE had access to and remove any Remote Access applications found. If the De had access to servers, be sure to check these as well.

Customer and Vendor Contacts

Have the DE’s replacement(s) telephone the DE’s contacts ASAP to introduce themselves and provide new contact information. This is a very valuable touch point! And, this communication will redirect most of the DE’s incoming business email and phone traffic to the correct staff.


Assuming you have an Employee IT Use & Abuse Policy in place, assign someone to review the DE’s existing email and forward mail important to your Business to the appropriate staff. The designated staff can access the email by logging into the DE’s PC (using the new password), or from any PC/browser using OWA.

You can either have all new email forwarded to another staff in-box, or have the staff reviewing the old email be responsible for new email. In either case, new mail should be checked and responded to daily.

Don't forget to remove the DE from all internal email distribution lists, as this could greatly reduce the amount of new mail that needs to be reviewed.

You should also set up the DE’s Outlook to send an Out-of-Office message to all senders advising them that the employee has left the company, and all correspondence is being forwarded to “Mary”. If the DE is leaving under good terms, you may consider including their new contact information in this message.


Assuming you have an Employee IT Use & Abuse Policy in place, assign someone to review all the documents in the DE’s personal storage space on your servers, and on his PC. Transfer those important to your Business or belonging to departments to the appropriate directories.

As noted above, if you have a properly designed Company/Department/User document filing system in place, this will be a simple task.

Phone and Voice Mail

If the DE has multiple replacements to cover varying responsibilities, set a Voice Mail message on the DE's extension advising callers that the DE has left the company along with instructions to dial another extension. If the DE has only one replacement, it is simplest to just forward incoming calls to the replacement.

Don't forget to remove the extension from all calling queues.

After a Month

We would expect that the DE’s important emails and files have been reviewed and transferred within a month. Additionally, the DE’s incoming email should have fallen to a trickle. At this point, I’d recommend you delete the DE’s network (AD) account. This will also remove the email account, and is undoubtedly the cleanest way to proceed. Anyone emailing to this account will get a non-delivery message stating the user no longer exists. If the sender was using this account to contact your company, they can easily find an appropriate alternative contact address via your web site if they haven’t already been introduced to their new contact.

If you have any questions or comments concerning this article, or would like assistance developing the policies or procedures discussed to ease the Departing Employee process, I’d be happy to discuss this with you at your convenience. Feel free to contact me at, or via my cell 443.310.5110.

Next month I’ll discuss properly setting up Administrative access to your systems, and best practices for managing that access, as mentioned earlier in this article. See "Protect Your Admin Accounts".