I think generally most of us deal with former employees in a few ways. Mostly looking at Office 365 but applies to other accounts as well.
- We entirely delete/close their accounts.
- We keep their account open for a time, likely converting it to a lower license (no full fat installation rights) but disable sign in, change the password. Forward it to their replacement or otherwise provide access to that account and it’s files as directed by supervisor or HR. After some time, perhaps 3-6 months, close it out. Or use Microsofts deletion process which does all these things on a tighter timeline if there is an immediate replacement.
- Other variations of 2 which keep the account disabled for the user, but otherwise maintains user generated company data at least for a time, for one person or a group of people. For example perhaps converting the account to a group email so a group of people can get emails if their responsibilities are being split up amongst more than one person.
I’ve generally done something like 2 or 3 in the past. Closing out a users account entirely is a pretty dramatic action, especially if there are no backups or files retained. However it was brought to my attention that this may not align with what other departments need or want. For instance an example was that things could get sticky from an HR perspective if one person is being given access to another users account. In addition when someone else in our church was checking with other area churches they received consistent responses that when someone on staff leaves, the account is closed out. Fair enough, any training or experience I’ve had has taught me to treat user work accounts like church/company data, but I understand that different organizations may have different takes on this.
I noticed when searching a bit, that it seems like there hasn’t been a best practices or “what we do” discussion about this on here yet. Perhaps, this is because, as I assumed, we all are following best practices that look somewhat similar. However part of following best practices is following policies from HR or other leadership regarding retention of user generated company data and accounts. So as I review potential changes to our staff exit check list, I’m genuinely curious how some of my peers at other churches handle this, both for what we are working through here, and to have a point of comparison if this comes up for any of you in your church.
I think it will be very much org specific, both the tools that are being used and the culture that it is in.
What I would say to keep in mind:
- Come up with a suggested plan, share with senior leadership, go through the process so that it’s not a surprise to them and you have buy in. You don’t want to be in charge of enforcement or discipline around the implementation (if possible). That typically is their job (and HR’s if existent)
- Use technology best practices whenever possible from the technology provider (if they exist)
- Don’t forget you are dealing with people
- Avoid surprise with the staff, etc. this will be applied to
I work in IT for a managed service provider during the day and volunteer as IT at church as needed and I can give our routine offboarding checklist for our clients. We see a lot of turnover as we deal with thousands of workstations and users. For office 365 we first backup the OneDrive data. This used to not be a consideration but as more and more people use OneDrive as a file backup you do not want to lose that data. As the admin you can access the OneDrive files for any user via the 365 admin console. We typically create a Sharepoint site called OneDrive Backups and copy all content from the departing user to this storage space. 365 gives you so much Sharepoint space creating a site just to house this content is not a deal breaker and you might as well take advantage of that free space per tenant. After the OneDrive is backed up up we then block the sign in. We then convert the account from a standard account to a “shared mailbox”. This allows the email to stay archived for as long as needed without taking up a license and additional cost. After the conversion of the email to a shared mailbox go back and remove the 365 license. Be sure to have the OneDrive backed up before removing the license because although the email address is still active without a license the OneDrive files are deleted as soon as the license is removed. I realize church IT might have less turnover in staff but I’ve done this hundreds of times I’d imagine and it seems to be a good offboarding plan adopted by anyone with a 365 tenant. I’d be happy to answer any specific questions about 365 offboarding if you wanted an answer to something unique.
Any suggestions for same thing except a Gsuite environment? My current environment that I inherited (Church/School) has a dozen or more users that have been gone for years that still have access. I’m hoping to create a formal onboard/off-board process and clean it up.