How long do you keep the disabled account in syncing OU?
Posted by graceyin39@reddit | sysadmin | View on Reddit | 42 comments
Hi,
We have M365 hybrid environment. Our offboard process is like below.
disable the account > remove 365 license and move out sync OU after 30 days > Delete the account in AD after 90 days.
However we have the scenario that user get rehired and comeback to work after 30 days. This causes the issue that the user can't open OneDrive shared file because the user's old account is still in the sharer's OneDrive settings. The sharer has to delete the old account and re-share, then the user can open the file.
I am thinking to keep the offboard user's account disabled but in syncing OU until it is deleted. Is there any potential issue that I missed to consider?
Please help!
Thanks,
Ordinary-Dish-2302@reddit
We disable, remove from all groups move to terminated ou stage 1 (still syncing). Convert to SMB and setup email forwarding and delegation for that old account. After 3 months it's moved to stage two not syncing and finally after 18 months (for ERP reporting) of being terminated the account is purged from existence.
The only manual step in this whole process is HR and Payroll terminating the user out of their systems then automation picks it up
ALombardi@reddit
Our process:
Term Disable and convert to shared Remove licenses Email to manager with link to OneDrive Auto-map shared mailbox to Manager Warn manager 30 days access, get what you need Deleted after 30 days in AD, purges Entra/OD/Exchange Gives us about 45 days of recovery should a rehire happen
Sometimes exceptions to the 30 days deprivation happen but usually it has to be approved by HR, Legal, or the person is board/c-suite
Stevanti@reddit
If you are in Europe, this is a violation of the GDPR. You are not allowed to give anyone access to another users mailbox which is in their name, even if the mailbox is property of the company: It might contain confidential information of the user. In compliance with the GDPR: The (former) user must give permission for access AND the company needs a very strong and grounded reason for access which can otherwise severely impact the the business if said information is not retrieved. And even then you are only allowed temporary access to retrieve information and then revoke it.
SingleWordQuestions@reddit
We need to keep stuff for 7 years for legal purposes, how does that work?
Stevanti@reddit
Financial info such as sales, tax and salary information are a different manner. This is specifically about rejected applicants, people who did not get the job. Because you have no reason to keep their info longer than required.
stoopwafflestomper@reddit
Does HR never come back, say 6 months later, and ask for email from a termed because they sued for wrongful termination? We have to hold email for a long time because our legal believes it helps prove innocence more than malice.
SingleWordQuestions@reddit
Why not go back to your backups?
TadaceAce@reddit
The idea of just convert mailbox to shared after team is weird to me. It's keeping the mailbox without the licensing.
Does Microsoft not mitigate this at all? Do you just have thousands of shared mailboxes? Obviously it's an option but seems messy to me.
meesterdg@reddit
There's a limit to total storage space on all tenants based on licensing. You will run out eventually
jws1300@reddit
Surely IT isn't the first aware of the "term". What's the process / procedure right before you do the disable?
HR, supervisor/manager, etc, submit a form?
ALombardi@reddit
No, they aren't the first to know. Typically it will come through HR for a term via Ticket. Every once in a while we'll get a disable request from Security if they suspect foul play of some kind to be safe (assuming that person doesn't have PIM rights to get User Admin), but an actual term basically needs to get a ticket from HR.
At times our HD/EUS/EUC manager will get a "my user just quit" message from a manager and he'll get their account disabled ASAP, revoke Entra tokens and sessions, things of that nature. He'll await a ticket from HR before running the "normal" deprovision/term process script.
The term process I mentioned in the comment above is fully scripted so the only part it would fail on once we get a term ticket from HR for the example user above and action it is the disable. Everything else will happen in short order after that. Separate script runs daily to find any users who hit their 30-day deprov date to delete them from AD.
enceladus7@reddit
We just use retention policies which keeps the mailbox searchable even if hard deleted https://learn.microsoft.com/en-us/purview/create-and-manage-inactive-mailboxes#create-an-inactive-mailbox
Immediate-Serve-128@reddit
Interesting
Illetan@reddit
This is nearly identical to our process.
Commercial-Milk9164@reddit
What is the life cycle of the 'convert to shared'. Do they hang around forever and how to keep track of who the owner is?
VG30ET@reddit
Going going to look into implementing a process similar to this, just this week we had issues where a manager needed access to an account that was not properly terminated
lasteducation1@reddit
Yep, disable account, turn to shared mailbox, set in an OOO they're out of the company and what address to mail instead , disable certain security groups and accesses, delete them from the MFC's, move them to an synced OU that has the accounts that aren't 3 months out of the company yet, and after three months delete them from the AD entirely, without a second thought, but with gusto.
plump-lamp@reddit
Why do you move them to a non sync'd OU? What does that accomplish outside of the user acct disappearing from entra?
HugeAlbatrossForm@reddit
HR doesn’t want to see your old employees
plump-lamp@reddit
Hide from GAL, remove from groups. They're also disabled when the user is disabled. Where's HR seeing it?
HugeAlbatrossForm@reddit
I’m not doing all that shit
ChangeOnlyFridays@reddit
Adaxes | Active Directory Management and Automation
plump-lamp@reddit
It's called a script.
h00ty@reddit
We could write the script for them ( n 0r just give them a copy of mine ) and then give a detailed explanation on how to automate it OR we could point them to google... i did this when I worked helpdesk because I am lazy and hate doing the same shit day after day.
veganxombie@reddit
I don't treat my disabled users any differently than my able- bodied users what is wrong with you
wisco_ITguy@reddit
We expire them, keep syncing, delete them and data after 30 days.
rumforbreakfast@reddit
Heads up - AD expiry doesn't sync to Entra ID.
Expired staff will not be able to log into computers but can still get into cloud services.
wisco_ITguy@reddit
Yep, we don't have any cloud services at this point, although it's coming.
rickAUS@reddit
We keep disabled users syncing in most circumstances because we don't want people turning up later who'll end up with the same UPN/email as someone who used to work there, potentially getting confused with the former staff member or staff having old inbox rules, etc that reference the old email and shit goes missing, etc.
Even returning staff get a new account, not their old one.
bigtime618@reddit
If you move them out of a sync OU I’m pretty sure it deletes from azure - just disable wait the 90 and delete disabled account. Maybe I’m missing the question
Immediate-Serve-128@reddit
Do you ediscover the msilbox out,
ccosby@reddit
User manager script has a term user function that removes user from groups most groups, renames the account with some random number at the end, setups an extension attribute field with end date, and moves the user to another "archive" OU, disables the user, etc. Scheduled tasks script remove the group that office 365 license gets assigned to a day or two later and another deletes the account after 90 days(running against that OU they are moved to). If we need to save a mailbox and convert it to a shared we just move the account to another OU. Office 365 license stays on for a day or two to allow our management exchange server to set an out of office(we had an issue with it not applying as the license was pulled too soon). This might actually just run off office 365 now, I had to fix it a while ago and would have to go back and look to see what I did.
Grandcanyonsouthrim@reddit
We get a lot of users who return - so while we used to 90 days, we reduced it to 30 days but it is a debacle if they are given the same UPN after the account is deleted. So will have to finesse it so that the user is kept on ice longer but with no licencing.
rumforbreakfast@reddit
Day 1: Disable, reset password, export memberships to file, email manager that their account is disabled
Day 14: Remove memberships, move to disabled OU that isn't synced.
antiquated_it@reddit
Days, weeks, months, who knows..
Blade4804@reddit
Account disabled, login tokens rejected, passwords reset. Mbox and OD access granted to manager send OD url in email. Account deleted from AD after 60 days. Everything is automated and automatic based on term date in workday. Easy peasy.
Murhawk013@reddit
We disable the account and move to an non synced OU immediately. Also convert the mailbox to a shared mailbox.
graceyin39@reddit (OP)
This can't solve the issue that OneDrive sharing won't work if the user come back to work.
coalsack@reddit
Sounds like a use case for your organization based on corporate policy.
That doesn’t make it an “issue”.
BlackV@reddit
Seems like an issue
the existing user tries to sare to the returning user, and selects the returning user from a list
the returning user cant then access that shared item cause , behind the scenes 365 is looking at user path and not user1 path
https://company-my.sharepoint.com/personal/firstname_lastname_company_com1 instead of the old address https://company-my.sharepoint.com/personal/firstname_lastname_company_com
ddaw735@reddit
I move all my disabled accounts to a synced but heavily restricted ou. Gives users a chance to read emails and OneDrive's.
I delete them after 60 days
Jtrickz@reddit
Syncing ou, the second they are disabled and cleared of attributes by a script by helpdesk, kept in a tombstone, forever