[-]

Lost-Droids@reddit

Revoke all and password reset. HR dont make IT polices (Also in reality they will never know it happened)

[-]

Tekashi-The-Envoy@reddit

This is the answer. Just take charge and get it done.

You don't want the next article to be " Dead Employees credentials used in attack - IT dep too scared to deactivate them"

[-]

SmurfForFun@reddit

What’s the difference if this employee was dead or alive? Does them being dead make their creds more available to the world? I’d still do it but that’s a funny idea lol

[-]

Roquer@reddit

In the days of work apps on byod devices and MFA tokens getting sent to a phone, yes there is a huge difference.

[-]

You greatly underestimate the amount of users out there that have their passwords written down because they can’t remember what they ate for breakfast, much less a password that must be changed often.

[-]

jimicus@reddit

And I wouldn't like to bet against a certain amount of informal credentials sharing because it's easier to do that than it is to get the right people access to the right things.

[-]

Vodor1@reddit

Well in theory multiple other people might be using them now to "sort things out", so chances are probably higher - statistically speaking.

[-]

ScriptThat@reddit

We had a "case" kinda like this last year.

An employee had died. Notice in the paper, collection in the office for a bouquet for her funeral, all the usual things. We never got an account termination notice, so we locked the account and revoked access tokens just to be on the safe side, and a few days later we got the semi-expected ticket from her department.

"[Dead User's] account is locked. Please unlock it."
"[User] should use her government Online ID on the self service portal to unlock her account. "

Then crickets for a few hours until a much more sane ticket showed up.

"please help us get access to [dead user's] files in [location]"

[-]

fedesoundsystem@reddit

Yeah, but: if legal told you, you are not accountable. If hell breaks lose, the heads popping off would be theirselves, not yours.

[-]

ethnicman1971@reddit

Yeah but it’s not legal who said so. It’s HR

[-]

KallamaHarris@reddit

Then make sure it is in writing

[-]

xendr0me@reddit

If legal told you to jump off a bridge, would you do it? - I.T. has a responsibility to keep the network secure, by changing the password and revoking sessions/MFA you are still in a change hold on the account, the data is still intact. Don't listen to legal on matters of I.T. specifics. They just want to make sure there is retention on the data for future purposes.

[-]

larryseltzer@reddit

Even better, it's on Reddit

[-]

Break2FixIT@reddit

What ever happens on reddit, stays on reddit

[-]

breagerey@reddit

not legally being on the hook doesn't absolve OP of any of the IT issues

[-]

DarthShiv@reddit

IDGAF what idiots in legal say about accounts being active. They have no idea what they are talking about. Disabling accounts is standard practice for this stuff. Re-enabling an account at any time is trivial.

[-]

braytag@reddit

Never heard of :" you misunderstood our request" ?

It happened to me 6 month ago:

"I should have been clearer in my explanation of the shitstorm their stupidity was about to cause..."

[-]

VCoupe376ci@reddit

Even in the fantasy land where that is true, the disaster mitigation would still be on IT and the repercussions would be so much worse than having Legal upset you disabled an account you have the legal right to disable.

Whether the paperwork has been completed or not the employee no longer will be reporting to work and people not employed with the company may now have access to company resources. The account is company property, not part of the decedents estate. Someone in legal at this guys org is a complete idiot.

[-]

CharacterUse@reddit

I suspect HR is talking to legal, asking them about HR procedures, and passing on their interpretation of the answer to OP, without specifically asking legal about the IT account. OP needs to be talkign the legal directly.

[-]

LifeGoalsThighHigh@reddit

If things go sideways, having things in writing is nice and all, but it will ultimately still be your mess to clean up.

The blame seldom falls upon the infallible angels in Legal and HR.

[-]

moise514@reddit

I kinda disagree, Depending on where OP is in the ORG and what kinda of place it is he could get in trouble for absolutely no reason, Getting on the bad side of HR is never a good idea.

[-]

Lost-Droids@reddit

We have it documented it policies and processes that no one will ever be chastised for taking action if related to a security concern. Any and all action will be deemed acceptable as its always better to be safe than sorry

[-]

rcobourn@reddit

Also force reset HR's password while you're at it.

[-]

Vesalii@reddit

That's what I would do too. The account still exists but at least it can't be abused.

[-]

Inquisitor_ForHire@reddit

I just link up a GPO that requires a 200 character password and tell it to require reset. :)

[-]

DarthShiv@reddit

Exactly. Disabling an account is not their domain either.

[-]

atworkslackin@reddit

Also you can remove login hours it's what we do when people go on protected leave.

[-]

DrStalker@reddit

In any scenario I can think of where they do find out, they will be happy it was locked so there is confidence it was not used after the person died.

[-]

sambodia85@reddit

Yep, if the dead employee wants access, they can call the service desk, 💀

[-]

Vodor1@reddit

Yup, password reset at minimum, as no one should know their current one who is to know any different.

[-]

what_dat_ninja@reddit

This right here. I recently had a similar situation - an employee is having a sensitive immigration situation and HR approached me to handle it delicately. They want the employee back as soon as it's resolved and don't want her accounts to look any different, but she can't have any system access. Took back laptop, revoked sessions, revoked MFA, reset credentials. Accounts are still active, groups and permissions are intact, but the account is inaccessible.

[-]

TreborG2@reddit

This is the way

gif

[-]

ispguy_01@reddit

We had an employee pass away at my work and we disabled the account and reset the password and moved it to the non-active folder. This was SOP at my company. The IT manager at your company should have the clout to do that and if legal or HR have an issue with it they cannot talk about it but a security loophole was closed with our SOP actions.

[-]

DrStalker@reddit

IT shouldn't take any action that might interfere with estate or beneficiary processes.

Disabling the account and setting a random password will not interfere with that, and can be reversed if needed.

That's enough to be secure while HR and legal do... whatever those departments do.

[-]

Expensive_Plant_9530@reddit

What in gods name would the estate or beneficiary be doing logging into their deceased relatives work accounts anyway?

[-]

grumpyolddude@reddit

Clearly they shouldn't be accessing it as the deceased employee, but often payroll, retirement/401k, health insurance, w2/taxes, paid vacation time, life insurance and other benefits as well as correspondence from those are going to go through the employee portal/sso and corporate email. A spouse/beneficiary with access might want to access those records directly.

[-]

r3rg54@reddit

I worked at an investment management and someone logging into a deceased persons account is a compliance incident. A spouse can access that info, but not with the decedant’s username.

[-]

mrlinkwii@reddit

personal files ( pictures , important erstate information the list can go on ) depending on local law is written , they might be entitled to said files

[-]

mcdade@reddit

Access to mfa codes or password reset where they used their work email as a recovery address.

[-]

Gadgetman_1@reddit

The only thing is if the deceased also used his laptop and email for private business.

And THAT is a pain. We tell our users NOT to do that, but still...

And the estate will NOT be given access to OUR computers. If they think there's something on it or in their email, a team consisting of IT, the deceased's manager and HR will go through it and look for the contents.

[-]

DrStalker@reddit

I have no idea what they would want to do, but as the person responsible for security I don't want them the do it.

[-]

Reetpeteet@reddit

Plus I sincerely doubt that a company-owned account or laptop is part of the inheritance or estate. Come on... someone in HR / Legal is being very weird.

[-]

mrlinkwii@reddit

Plus I sincerely doubt that a company-owned account or laptop is part of the inheritance or estate

some data might be , depending on the law is written

[-]

whythehellnote@reddit

Or perhaps it's evidence in a murder case. There's a reason legal exists.

[-]

Exciting-Ad-5858@reddit

Yeah wtf are they concerned will be interfered with? Very confused RE what the risk even is here

[-]

Alypius754@reddit

HR doesn’t know enough to ask the right questions, Legal is answering them, HR doesn’t understand the answers. Legal might be worried about data retention requirements but that’s about all. I doubt Legal knows what’s really going on.

Password reset, revoke 2FA, disable account. None of these are legally questionable.

[-]

CharacterUse@reddit

I suspect HR is asking legal about generalities and passing on that answer to OP without asking legal about the specifics of the IT account.

[-]

ranhalt@reddit

Reverse changing the password? Does someone know the employee’s current password?

[-]

DrStalker@reddit

Technically you could restore a password hash but in this case the reverse is less literal; if needed you could set a new, known password to undo setting having a password that no-one knows.

[-]

F0rkbombz@reddit

Of all the “wtf” things I’ve seen here this one is pretty high up there in sheer stupidity.

Your HR and Legal are flat out being obtuse morons.

Nobody has ever gone through this b/c nobody else’s HR and Legal teams are this moronic. When an employee passes away, IT off-boards the account, it’s that simple. There’s usually a little delay b/c of the situation but other than that, it’s off-boarded through normal SOP.

I’m not gonna give you career advice, but your security team’s approach is the only logical response if they won’t let you disable the account.

[-]

mrlinkwii@reddit

imagine the estate or beneficiaries would have any claim over the account or its contents b/c it’s company property, not the property of the deceased.

if their is personal files ( phtots or files related to tax/ insurance ) depending on the country its still property of the deceased

[-]

jstar77@reddit

This is HR's call, just make sure to document your recommendation and their response.

[-]

Dibchib@reddit

Theres 2 ways you can deal with. You can easily disable login and delegate access should anyone need it.

There’s also the internal Politik here. What happens if you disregard HR awaiting legal. You can easily justify the reset as a non intrusive method of securing the account in lieu of HR / legal outcome as the security team are requesting it or you pass on the security teams recommendation and leave it as is knowing you would be absolved of responsibility in the event something is breached.

It seems like a clash of 2 dept policies and someone higher up the food chain should be responsible for determining which one should take precedence

[-]

techparadox@reddit

Minimum we'd do is put it on legal hold, revoke sessions, block VPN access, and reset the password. That account needs to be secured, death certificate or not, and if there's any hardware out there where someone who knows the deceased's password could access it, that's a breach waiting to happen. Besides, you'd have to reset the password anyway if anyone needed direct access to the account.

[-]

Witty_Formal7305@reddit

If you really want to not touch the account, then easiest way around it if you're in M365 and licensed for it is just block sign in from everywhere except your offices static IP.

Not AS good as disabling it or changing the pw etc, but depends on how strict the "don't touch it" is at this point, since doing the CA policy doesn't touch the acct itself at all.

[-]

mrlinkwii@reddit

lock the account , remove any 2fa etc and make a new process /policy

[-]

One_Economist_3761@reddit

Security team and HR should resolve the situation and let you know when they agree.

It might also help you to update your security policy documents to specify their resolution as protocol for future reference.

[-]

FireCyber88@reddit

Security first.

[-]

tech-brah@reddit

I would never make this my concern. All of the drama queen nerds in the comments who are advising against following HRs guidance are true idiots.

[-]

Reedy_Whisper_45@reddit

Oof. Disable the account. It can be re-enabled as needed.

If you're not comfortable with that, change the password. Nobody should know it anyway. Then, when needed, change it to something so people can get in. IF they need to get in. They should not.

You should be able to handle anything necessary on an as-needed base from the administrative side.

[-]

HoptastikBrew@reddit

Put the account on legal hold and block logins. I’d probably remove group membership and hide from the GAL.

[-]

NotMedicine420@reddit

Do you have nothing better to do? You've been told what to do - sit back and wait. Literally not your problem. Security can go directly to hr.

[-]

Moontoya@reddit

Reset the password, remove 2fa from personal phone (if set that way).

do not remove the license, do not block logins, do not modify the contents of the mailbox at all.

Control who can access the mailbox until such time as legal finally clears it - whilst maintaining function & preserving data.

(GDPR approved method)

[-]

The-Jesus_Christ@reddit

I’d convert it to a shared mailbox instead.

[-]

Upbeat_Whole_6477@reddit

Came here to say this. Remove MFA methods, revoke sessions, reset passwords and move on.

[-]

zqpmx@reddit

Also leave a note in the account and notify help desk support about the situation u/op

I have seen cases where a fired employee called help desk to report provlema with their login (that was disabled) and the support person was very close to reactivate the account again.

The procedures weren’t very well defined for this case.

[-]

ncc74656m@reddit

Absolutely block signins, the beneficiaries need nothing from their work mailbox at all, shouldn't be accessing it to begin with, and it doesn't prevent anyone with legitimate existing access to mailbox or resources from their account from accessing it.

[-]

ReputationNo8889@reddit

Well that depends completely on what was in their work contract. In Germany, if you allow work email for personal use, that data is considered personal data and then the beneficiaries absolutely do have a right to that data.

[-]

ncc74656m@reddit

A right to the data, not a right to freely log in. But fair point.

If the company wants me to provide an export of the data, provide assistance with access to MFA codes and account reset info to get access to other accounts, fine. But direct login access? Not happening unless the account is isolated without access to company systems and that shit is signed in triplicate.

[-]

Kernal_Panic_47@reddit

I wouldn't worry too much about it. If it was a massive security risk, the security team would be jumping all over HR and even override them if it was serious enough. HR are probably following a death in service policy that hasn't been updated to include changes in tech over the last 10 years.

Let the Cyber Security team have the fight with HR about it. They are better positioned within the company to get this sorted and update the process.

If you are able to, set up an alert to trigger if the account is logged into and report the activity to the security team.

[-]

reol7x@reddit

Has OP responded anyone?

I'm getting LLM vibes from this one and don't really know why. It seems like such a bizarre scenario designed to promote a lot of conversations.

[-]

Ok-Passenger9711@reddit

Suspend to account while waiting for the confirmation of death or the employee to come back to life.

[-]

creativeusername402@reddit

It'd be a shame if someone used the wrong password enough times to hit the password limit and locked the account. Then the (now deceased) employee would have to call into help desk and get their account unlocked.

[-]

coukou76@reddit

In my company SOC team would be on my ass in the next 10mn if I did that

[-]

labalag@reddit

How would they know it's you?

[-]

awetsasquatch@reddit

The device that is making the attempts gets logged. Cross reference it with asset management and you find out pretty quickly.

[-]

reol7x@reddit

Surely there's a PC in a conference room somewhere...

[-]

labalag@reddit

Hey Bob, can I borrow your compurter real quick?

[-]

Expensive_Plant_9530@reddit

Yeahhhh except don’t do that, because it is easily logged and you’re just gonna make yourself look suspicious to management and whatever SOC/ops team you might have.

[-]

MightyPirat3@reddit

Very good idea to try to log onto someone's account (and have that logged). /s

[-]

TerrorToadx@reddit

They won’t know if you reset the pw lol

[-]

billy_teats@reddit

That action is absolutely logged and traceable.

[-]

TerrorToadx@reddit

By HR? Doubtful.

Security and IT wants a pw reset. I don’t think anyone will rat them out if they happen to stumble upon a log lol

[-]

LawnJerk@reddit

If you disable the account, who’s going to complain?

[-]

zqpmx@reddit

In most places anybody can get a death certificate if you provided the information of the deceased. As they’re public records.

But I won’t overstep and take responsibilities that don’t belong to you.

If HR say that in writing. Print that email and comply.

If they ask that verbally, write an email. Like

“Regarding your instruction of not to close (or whatever) the account until Legal approval, etc etc”.

To leave paper trail of the situation. Even if they don’t reply to the emails.

Remind them if you can close the account of time has passed and you think it’s excessive.

[-]

brianozm@reddit

Leaving the account open is a risk, which might affect legal and the estate. It needs to be locked down to prevent access and possible corruption. Legal is insane for not understanding this.

[-]

planehazza@reddit

Quite the opposite for me. I received emails to disable the account of a close work friend 5 hours after I learned of their passing...

[-]

Iron-Dragon@reddit

Suspend the account just don’t delicense it expire it as of now - then when he get there usual process

[-]

cyberkine@reddit

Does HR plan to continue to pay the deceased employee or are they waiting for a death certificate too?

[-]

KindPresentation5686@reddit

You don’t work for HR. Disable the account. That’s IT 101.

[-]

Cool-Calligrapher-96@reddit

Disable account

[-]

NetSchizo@reddit

We just disable the account and reset the password until its in the clear

[-]

ReptilianLaserbeam@reddit

We have an OU for temporary leave/absence and another one for legal hold.... I would be temporarily moving his user to the first one so his user remains active, his licenses are kept but access is restricted

[-]

HuntingTrader@reddit

Explain the risks to HR, Legal, and your boss in an email. Make one of them respond with a decision. Follow that decision because someone else took on the risk. If they tell you to leave the account alone and it gets comprised, whip out the email and sip tea.

[-]

ParkerGuitarGuy@reddit

Maybe they are confusing “disable” with “delete”. Make sure they are clear that disabling is not destructive. It only prohibits active use of that security principle and is reversible.

[-]

gregarious119@reddit

This is where my mind was at too. I would tear it no differently from an LOA until the documentation arrives.

[-]

Creative-Type9411@reddit

what would make you think locked down devices are easier to hack when someone is dead?

this is what I can't stand about sysadmin... its this

Every single person here is acting like the password was leaked.. smh, seriously guys? Someone being dead doesn't make their account any easier to get into..

[-]

Justan0therthrow4way@reddit

Pesonally I’d hold off. Especially if he is using his work phone as a personal phone and might have photos the family wants. It will unlikely do anything to remove intune and block his company laptop from accessing the network until you get further instructions.

[-]

No_Dot_8478@reddit

There might be a legal reason to hold the account data depending on the job, but there’s no legal reason to not simply disable the account itself. Almost feels like legal is confused about the meaning of different account statuses. If the guy turns out to not be dead and wants to come back to work, just enable the account again… there’s no reason to hold off.

[-]

hawksdiesel@reddit

We change the passwords as some microslop onedrive things only last so many days, if you take the license away, making them shared accounts. 90 days or something before that one drive content purges.

[-]

SaansShadow@reddit

I know a lot of people are saying do the password reset but you are dealing with HR. They won't protect you if you go against policy. It could also mean reprimands.

As long as you have in writing from HR saying not to do these things, leave it at that. If something happens, you made your recomendation, security did theirs, and HR said no.

If you haven't write an email stating the reasons why this should be done, understanding HR policy, blah blah blah, corporate speak. Just get them not wanting to lockdownt the account in writing.

You're showing you're doing your job, following policy, and covering your ass.

Non tech admin staff do not understand, do not want to understand, just want obeyed. If shit happens, you can point to the multiple emails stating otherwise. Shit will change when that happens, until then, it's a non existant issue for these short minded morons.

[-]

pnlrogue1@reddit

Hey OP. We lost a colleague in our team very suddenly about 3 weeks ago. It's awful and I keep bumping up against the things he was doing before it happened. It sucks. Hope you are doing ok.

As to your question

HR are taking out of their arses. It's entirely reasonable and sensible to disable the account and reset the password. This is a security matter, not a HR matter - you're suspending their security access, not changing their personnel records.

Bluntly, removing all security groups is reasonable, too, but disabling the account is enough.

If HR are scared of legal repercussions, ask Legal if there are any concerns about disabling their computer access in an easily reversible fashion while awaiting update of the HR records. I bet Legal are fine with it and if not then direct Security to Legal to argue it out.

[-]

Mindestiny@reddit

What the hell does someone's work access credentials have to do with the "estate or beneficiary process"? That's all company property, not the individuals. HR is probably worried about that stupid life insurance that always gets bundled with everyone's benefits/payroll as a value add but offboarding the employee doesn't affect that if they know how to actually offboard someone properly in the HRIS.

That needs to be shut down, period. Decouple it from the HRIS or lock the account in Entra, do not just let it sit there, and then follow IT process would be my vote.

[-]

Jeroen1989b@reddit

From a technical standpoint, why not escalate to the CISO ? He / she should be in a stronger position to align internal governance between departments and he'll have a good view on the risk assessment points you bring up.

[-]

ncc74656m@reddit

Block signins from the account and revoke sessions. It won't stop anyone with existing provisioned access to the account from getting access to things they need, but it will stop anyone who can otherwise gain access from logging in with those credentials. Absolutely no one should, ever, for obvious reasons. This changes literally nothing else about the account, and is immediately reversible.

[-]

slapstik007@reddit

Suspend the account. I had to do that his last year while we waited for more instructions.

[-]

Today_is_the_day569@reddit

Just change password to extremely complicated, document, set calendar reminder and move on.

[-]

billy_teats@reddit

You have an employee who has not show up to work for two weeks and HR wants to continue paying them?

What obligation does the family have to send a certified death certificate? What happens if they never do?

Legal is trying to cover themselves. HR, as is their nature, is hesitant to do anything.

Tell them both you’re disabling the account because someone hasn’t shown up to work for two weeks. It’s easily reversible

[-]

nickram81@reddit

Didn’t we all have this exact scenario given to us in college?

[-]

MrsLobster@reddit

If the deceased employee recorded their passwords somewhere that another person could access them, which is not unlikely, they could potentially: delete email, send email from the employee’s account, modify or delete files, modify or delete data, or gain access to sensitive company data (vendor, customer, production, financial, etc., depending on their role). Worst of all for this specific case, they could log into the employee’s payroll, insurance benefits, 401k, etc and make changes to address, bank account, beneficiaries, etc.

IANAL but I assume the company will have some obligation related to payment of last wages, accrued bonus or commission, unused vacation time or other. None of these things will require someone else logging into the employee’s account. The payroll company, benefits providers, etc. should be able to provide guidance on appropriate steps.

You need to escalate this to the CIO or equivalent.

[-]

Alexandre_Man@reddit

Why do you care? The account isn't gonna do anything just by existing. Leave it enabled until they tell you to disable it.

[-]

Charokie@reddit

When we had deaths we accepted family statement and shut account down. Otherwise they are still being paid?? Voting too?

[-]

BlkCrowe@reddit

Set a crazy long random password, remove from all groups but Domain Users, and set to allow login from only one workstation. Looks like our work here is done.

[-]

hasthisusernamegone@reddit

Group-assigned license gets removed, mailbox gets deprovisioned, OP has a very difficult conversation with HR and Legal.

[-]

BlkCrowe@reddit

Good to know. I’ve been out of Windows Administration for quite a while. I should have prefaced with “back in my day…”

[-]

Deathdar1577@reddit

Totally agree.

[-]

hectoralpha@reddit

push the blame dude.

reply to HR email, CC some manager from IT side.

ask them if they agree with HR,

mention if no reply in X days you will take it as confirmation to disable account.

if HR replies tell them to get approval from someone above your head that has authority over IT estate in the company.

[-]

SkittyDog@reddit

Your department isn't "below" HR in any kind of hierarchy. Why the fuck are you letting them tell you how to do YOUR job?

HR people aren't geniuses. It's a dumping ground for paper-pushing dregs who are unemployable in any other function, but tick enough boxes on paper and suck up well enough to still get hired in HR.

DO YOUR FUCKING JOB. Your department is the expert on how to do your job. HR can give you all the advice they want, but that's all it is - advice, and unqualified advice at that. Asking HR to tell IT how to manage accounts is like asking Kristi Norm for advice on not ending up with a closeted trans husband.

[-]

Revolutionary_Ad_238@reddit

For entra , create a CA policy to block access to all cloud apps and then add the account to this policy...this way you are not disabling the account but blocking access completely...for okta, also there might be something similar..

[-]

IllIntroduction8499@reddit

Just leave them in disabled. Remove the license and keep the mailbox. Once they need access just turn it on again. Explain to HR that the company has a legal liability for not taking steps to protect their assets from a data breach. If basic steps aren't taken, any kind of insurance or damages that occur will hold the company liable.

[-]

Odd_Awareness_6935@reddit

tough spot to be in

but from a technical standpoint, you gotta lock out that account

I would at least disable any new sign-in

[-]

SchemaAndShell@reddit

Just disable, revoke the sessions and rotate the password until the formal offboarding . 100% chance HR will never know anyway, unless you continue to bring it up and give them a reason to check the account.

[-]

harbengerprime@reddit

Account should be disabled for security reasons. It can stay, disabled with no issue

[-]

brispower@reddit

This is not HR's call, do the needful.

[-]

TaterSupreme@reddit

It sounds to me like HR has reported a concern that the employees credentials have been compromised. Therefore the security policy for that situation should be activated.

[-]

Chapungu@reddit

Nothing really complicated here at least from how I see it. The call has been made, your job is to follow Legal's advice before you open the entire company to a suit.

[-]

DueBreadfruit2638@reddit

Peak beauracratic intransigence (also known as stupidity). If legal says take no action, then they door the risk bill.

[-]

Zozorak@reddit

Estate or beneficiary process Dont have anything to do with the business though? I'd just revoke access and disable / scramble password. HR can be a pain at times.

[-]

jkerman@reddit

Its probably the opposite. If the guy /isnt/ dead, disabling their account could be an adverse employment action and could get them in trouble.

[-]

TalkingToes@reddit

Three days no show = so ( per policy? ) the account is disabled, right?

[-]

ptinsley@reddit

If i was the family I don’t think I would make time for a dead loved one’s job wanting something.

[-]

jimicus@reddit

I was thinking the same thing.

If the person's former employer offers (eg) some sort of death in service benefit and they won't pay out without a death certificate - I can completely understand that. And then you probably would get a death certificate.

But that's got absolutely nothing to do with IT.

[-]

Lonely-Bag-9401@reddit

Why would they need to see that if he is clearly not coming to work?

[-]

usps_made_me_insane@reddit

Because HR. Have you ever seen an HR felt actually make solid decisions?

Personally, I had something like this happen before and just notified the VP of IT. They said nuke the account and if anyone causes issues, have them contact him.

This was said in his office so I just put it in an email for the paper trail and asked a quick side question to get a reply so that I had proof he saw the email.

Sometimes you just have to do silly shit because corporate life can be nonsensical at times.

[-]

jimicus@reddit

This is what management is for.

In my experience, you could have quite merrily said "Sorry; VP's orders. Take it up with him" to anyone who questioned you - and he wouldn't hear a damn peep.

It's quite remarkable how that happens. Almost like people are only happy to bicker and cause trouble if they don't think they'll catch trouble themselves for it.

[-]

limlwl@reddit

It’s not your problem - why make it so when legal already said it.

[-]

Normal_Choice9322@reddit

Why does hr have any say in revoking sessions or password resets lol

[-]

Orangesteel@reddit

You need to align policies over the medium term. HR and IT should be congruent on IAM lifecycle management. For now, disable the account and reset the password before formal De-provisioning. This is standard in most companies for this situation and also when someone is on maternity leave, suspended or on a sabbatical.

[-]

mullsies@reddit

Sounds like HR is clueless. The account isn't part of their estate - it is company property and HR and IT processes are unrelated e..g. blocking an account that has been compromised by a phishing incident has nothing to do with their employment status.

[-]

thors_tenderiser@reddit

Employee abandoned the workplace (one way or the other) - disable account, revoke sessions is good security practice.

[-]

CaptainZippi@reddit

Punt this whole thing to your chief risk office (or someone else) to handle with a “this seems risky, don’t accept the risk. If not, you deal with HR”

[-]

ChiefBroady@reddit

Just be a bit patient and imagine the employee is on extended vacation. I don’t see the big urgency here.

[-]

pancakes1983@reddit

Login 3 - 5 times incorrectly with their username and lock it out….

[-]

kanben@reddit

Reminder that this is the shit that companies care about after you die

Work to live

[-]

braytag@reddit

F-all that, this is a security issue, block sign-in. Keep the account alive, fine, but block it.

This is not legal or HR call, this is IT security.

[-]

JamieTenacity@reddit

1) Do what’s required for security, because that’s your responsibility and not related to HR, Legal, or anyone’s estate. 2) Start your own business, or get a cabin in the woods; whichever you prefer to minimise future contact with NPC morons.

[-]

Mr-RS182@reddit

Would reset password and revoke all sessions at a minimum.

[-]

Vindalfur@reddit

Yes, this happened once at work, we disabled the account and resented the password. Then we did nothing until HR and legal came to us. We had to enable the account again, but always with 4 eyes watching.

[-]

nermalstretch@reddit

… and resented the password.

Was it personally insulting to you?

[-]

Vindalfur@reddit

lol! I love autocorrect.

Resetted*

[-]

AddMoreLimes@reddit

What would the policy be if an employee called up saying they lost control of their company device? It sounds harsh, but technically that is what happened. Disabling the account to prevent logins would be the bare minimum.

Also, consider enabling a policy about automatically disabling unused accounts after a certain amount of days. That is a NIST recommendation and covers all sorts of things like approved leave of absence, quiet terminations, and other stuff that your HR and Legal teams sound like they aren't telling you about.

[-]

Bibblejw@reddit

IT shouldn't take any action that might interfere with estate or beneficiary processes.

Reset and disable the account. Work accounts are not inheritable and are not a part of the estate or beneficiary process. If HR have a link to revoke HR benefits when the account is disabled, then that's a separate issue, but this is an account where the user is no longer going to be accessing the resources. Those accounts should not be accessible.

[-]

Ok_Awareness_388@reddit

Make a temporary block hold group. Block in conditional access. Add user to group. Account was not modified.

[-]

VCoupe376ci@reddit

This is wild. The Entra ID is company property and has nothing to do with the estate. HR and Legal are both idiots here. They are acting like you asked to close out their 401K. 🤦🏻‍♂️

If you don’t want to run afoul of them, revoke sessions, force a password reset, and push a request to reregister MFA. This should at least assure nobody is accessing their account while they get their heads out of their asses.

[-]

hasthisusernamegone@reddit

I don't get this. You have clear instructions to do nothing until legal clear it. That is your position. Until legal tell you you can do it you DO ABSOLUTELY NOTHING.

[-]

joeykins82@reddit

I'm struggling to understand what the actual risk of a session revoke is to any estate or benefits process

You're struggling because there isn't any risk, whereas there is risk which you've correctly identified in not touching this. HR have got tunnel vision here and are looking at this solely from their own perspective; "we absolutely don't want to mess this up and will follow our processes to the letter" is the right decision within their sphere of influence, but when it comes to anything outside that sphere then bluntly they need to stay in their lane.

Your first obligation as a sysadmin is the uptime, stability, integrity, and security of the company's IT systems. HR are currently telling you to do something which goes against that obligation, and the correct response is to JFDI because you know you're in the right. Any time you face a situation which risks that obligation, the obligation comes first unless legal tell you that you would be breaking the law by taking action, or someone in the C-suite gives you written instructions.

What this has potentially exposed is that you should always have a way to override the data feed from HRIS, and be able to temporarily force-disable an account even when someone's employment status in that system is normal. An account in that state should not be re-enabled by normal tooling/feeds until the sysadmin team clear that override state.

[-]

Rhythm_Killer@reddit

If the security team are trying to hide behind you and not speak to HR themselves that’s a problem.

But I see no harm in disabling the account pending due process

[-]

Expensive_Plant_9530@reddit

For security reasons I would think you would suspend account access ASAP, regardless of whether “legal has signed off”.

This definitely needs some follow up with your department head and some new procedures.

Why would you need to wait for legal? If it turns out the person is un-dead, you can reactivate the accounts.

[-]

DStandsForCake@reddit

It sounds incredibly strange that you don't have a clearer offboarding. What do you do if someone is fired in the middle of the day, especially someone who still has access to sensitive data? The very least you should do is reset the password, and disable logins. Then the account is still "active", but you don't have to worry about the account just going astray.

The fact that HR doesn't have knowledge over it isn't really their job, so see this as an opportunity to take charge.

We have a routine that key people (such as managers, IT staff and so on) who leave, we keep the account for at least four months, with autoreply set. We normally do not allow anyone to have access to the inbox due to privacy reasons, more than written exceptions.

[-]

bobdvb@reddit

I agree with everyone here about locking access, the only thing you shouldn't do is do a remote data wipe on devices, especially phones.

While infosec could say they want it, right at this moment you want to remember that the deceased may have had family photos or essential documents on their phone and you need to know what impact you might have. Even if having personal photos on a phone it's part of company policy, you need to think about their family as well.

[-]

Krassix@reddit

Thats a situation where I wouldn't have a problem. Other departments have to cover this first, not your problem. Wait till someone orders you to disable the account. You told them, they have to act.

[-]

Opposite_Bag_7434@reddit

OP there should be nothing estate or beneficiary related that would justify keeping an account open since these entities have no standing with the business. There are, however, times when a business can be legally barred from altering an account in any way. This simply requires a court order or potentially even a lawful police order.

We had an employee die at one of our facilities. Now this was a different country so local laws certainly applied, but the manner and circumstances of death made it highly suspicious. In the end the suspicions were right, it was a homicide. We were told that local authorities required credentials, and that we could do absolutely nothing more to the account until cleared to do so.

You could ask legal since they are the companies council, and they should explain why the hold is needed.

If your company has a legal hold process this is a good time to determine whether a legal hold needs to be placed on the account. If you do not, you should be asking if this is necessary.

[-]

Ok_Awareness_388@reddit

IT policy needs to be updated to show temporary security restrictions, including lockout, can be imposed for any reason as determined by IT to maintain security.

[-]

danininodk@reddit

I have seen this once or twice. I can't imaging there will be any legal issues with:

1.) Reset password

2.) Disable account

3.) Force logout

All this does is making sure that the account isn't logged in anywhere. It is a personal account and since the person is no longer with us NOBODY should be able to use the user for login. What ever happens after with delegation is for HR to figure out.

[-]

KallamaHarris@reddit

Infact I can confidently say employee is no longer in possession of their phone. Somebody else now owns that phone with employees MFA on it. The risk is leaving all this.

[-]

Biervampir85@reddit

You already said everything needed: HR tells you to do nothing. Let them tell you via email, not only as spoken word. Give this mail to legal and your security team and lean back.

[-]

FlashDangerpants@reddit

Next week I want a story from you about how you changed a password and now there's a ghost hassling you about it.

[-]

Sintobus@reddit

Change permissions, you can leave it untouched otherwise. No need to recieve and definitely no need to send. It can be frozen and still be there for HR/Legal purposes.

[-]

mulquin@reddit

Don't deprovision but isolate and reduce risk as much as you can

[-]

OkEssay4173@reddit

Disable but don't remove the account

[-]

SparkyMonkeyPerthish@reddit

I’ll assume that this is a windows shop, disable the AD account to prevent access, that should handle the rest of the LDAP authenticated systems, now the tricky one, are there any SaaS applications that are utilised that do not have LDAP? Main reason I ask as I had a situation which was the culmination of crap record keeping, restrictive IT policies and generally shit account management practices: user had left 5 years previously, account was eventually disabled 18 months later, but there were a number of non LDAP authenticated systems they had access to which were never recorded anywhere. This user still had access to that system 5 years later, no audit or alert was ever raised from it.

[-]

tejanaqkilica@reddit

We receive user access terminations from HR (for whatever reason), as long as that termination doesn't get initiated by HR, we don't touch it.

Don't understand why you are worrying about this. If security team has an issue with it, they can take it up with HR.

[-]

moise514@reddit

HR Is full of crap and scared of their own shadows and do not want to accept any liability, Nothing new here.

Either that or they are playing some sort of game and want to keep access to the account for whatever shady reason?

We all know very well that you could disable the account and put it on legal hold and it would have 0 impact at the moment, They probably just dont understand the difference between deleting data and disabling an account and they are afraid of doing a wrong move that could get them in trouble, That being said, HR most likely has more power then you in the ORG, So all you can do is document everything in writing and let them know of the risks and that you disagree with their approach. It's not worth losing your job or getting on HR bad side for shit like that.

The real final solution is a human solution, Education.

You need to have an IT director sit down with HR and explain that it's safer to disable the account both from an accounting and security standpoint. Once they understand, The director documents the process and signs off on it along with HR so you never need to have this discusion again in the future.

Hope it helps

[-]

Professional_Mix2418@reddit

To be fair the OP did mention that they wanted to deprovision it. So it may be a language thing. HR would know legal hold. It seems IT doesn't understand the concept.

[-]

Hot-Comfort8839@reddit

Disable the accounts. HR doesn’t get a say in it.

[-]

CharacterUse@reddit

IANAL but I also don't see any way in which locking an account (without deleting anything) would interfere negatively with an estate process. In fact the opposite: right now a potential beneficiary might have access to the deceased's credentials and could (in principle) use that to delete messages/data which might influence the process (suppose for example the deceased had received an email to their work address regarding property they had inherited from elsewhere - the unscrupulous hypothetical family member could copy that information, delete the email, and no one else would know - while down the line they stole that property). I would say it is essential to lock down the account, just as one would lock down a bank account etc.

Also confidential company information might leak to such an unscrupulous family member. I agree with your security team. What are your procedures for lost credentials or a MIA worker? That's what you should follow (IMO, IANAL etc).

That's the case I would make to HR and legal (also, are you talking to legal directly, or through HR? HR might not be presenting the full situation to legal).

However if you have presented the case to both HR and Legal as above, and they have both told you to hold off, then yoy have little choice. Just make sure it is in writing.

[-]

Professional_Mix2418@reddit

To me the key thing is the OP mentioned deprovisioning. Disabling is absolutely fine. They need to put a legal hold on the account(s). But as you mention as well, not delete anything.

[-]

itishowitisanditbad@reddit

and HR stopped us

Who asked?

The only person who would be able to tell would be the end user.

HR doesn't/shouldn't actually control accounts this way. Its purely a process issue going on. IT controls accounts in this manner. HR can make requests also but do you also consult HR if someone has malware or something?

I don't/wouldn't care how long HR takes to catch up. An unused account is against compliance and any reasonable judgement would require the account to be restricted based on that info.

Its baffling that HR has the authority to stop or control this specific need. Its a security function, HR doesn't sign off on every single security action do they?

[-]

Professional_Mix2418@reddit

Ahem because it is a legal situation and it seems IT or Information Security have dropped the ball in not having a process to deal with this. Disable is fine, but to deprovision is not in such situations.

[-]

knightress_oxhide@reddit

ok so you have a legal team and a security team, yet you don't have a process to unboard while keeping data?! what is this a one person IT team for 200+ people?

[-]

Proud-University593@reddit

Get the security risk in writing to HR/legal, set account to disabled but don't delete, revoke active sessions. preserves data for estate while eliminating access risk.

[-]

Professional_Mix2418@reddit

You system and process should have a Legal Hold status. Entirely normal and especially for situations like this, but also when in disputes or disciplinary situations etc.

DO NOT DECOMISSION / REMOVE.

Apply legal hold, so you can block sign-in. And update the IT ISMS policies to properly deal with this and not have an argument with HR as they are right.

[-]

Ok-Measurement-1575@reddit

Is there any chance HR is snooping the account...

[-]

FelisCantabrigiensis@reddit

Lock the account but don't deprovision it.

That way you haven't changed any access, lost any documents, etc, and as soon as someone shows up with legal authority to access the account then your legal and HR departments will tell you to unlock it.

[-]

Delyzr@reddit

login a few times on his account with a random password until the account locks. Then wait for the user to sent a ticket from beyond to unlock.

[-]

motific@reddit

I can't see why you would need anything legally to disable the account, but it sounds like the HR system is tied to Entra so disabling/deprovisioning might chuck a huge spanner in the works for them.

Revoking tokens and changing the password should be a no-brainer though, so I'd push this nonsense up the management chain, have the security team to do the same through their management, and be chasing HR twice a day for updates.

I'd expect security to be able to do token revocations and a password reset for themselves; they shouldn't be asking nicely for permission to react to an identified risk IMO.

[-]

Candid_Ad5642@reddit

In what way will this impact the estate or beneficiary processes?

At the very least change the password, but you really should disable the account. It can always be reactivated if need be

[-]

Ironic_Jedi@reddit

Disable the account. Keep it licensed for now and assign the manager of the user as a delegate.

Anything else can wait.

[-]

EndUserIncident@reddit

Why is it up to you to decide this? Either you are allowed to make changes or you aren't. That's up to company policy. When in doubt, your manager is there to make the decision for you and bear the responsibility.

[-]

Watcher_78@reddit

If the notification came from the employees contact on file then that [b]is a formal notification[/b]

lock the account, if he's dead no one will ever know.

Or, do the dodgy, connect via a vpn to several unfriendly nations, try and login 20 - 30 times and then lock it due to suspicious activity 🤣🤣🤣

[-]

Virtike@reddit

Reset PW. Process proper off-boarding and deactivation once the HR stuff goes through.

[-]

joshghz@reddit

"I just happened to find a PostIt note at his desk with what looks like a password written under his account name. I'm afraid I need to reset his password as a security precaution."

[-]

Optimaximal@reddit

Are you worried that the account password will have been compromised between the last known correct login and the employees death? Why not agree a period with HR before resetting the password (and possibly notify them the password may expire before then too)..?

[-]

Appolflap@reddit

If it isn't within the mandate of your security team to disable an account and revoke sessions, just get rid of the team. All.this finger pointing between HR and legal is leading nowhere. Just have security document a 'potential risk for abuse' and disable that thing. Then wait with deprovision until everything is cleared.

[-]

Inanimate_CarbonR0d@reddit

Yeah I’d just secure the account maybe hide from GAL and stuff, start the process at least.. can’t see how it would effect anything, unless your Entra is your IDP for the HRIS or something?