Who revokes access to top of the chain sysadmins when theyre fired?
Posted by WhateverHowever1337@reddit | sysadmin | View on Reddit | 122 comments
Have you ever received a request to revoke access from someone higher up thats also a colleague (same department) because they are about to be fired? How does it work? how awkward was it?
Ok-Shower6174@reddit
In a well-run shop, the answer is 'nobody and everybody.' You don't just click 'delete' on a global admin while they're sitting at their desk. It's usually a coordinated strike between HR, Legal, and a peer admin. HR pings the admin team, and while the person is in the meeting being let go, the peer is silently rotating service account keys and disabling the account in the background. It's cold, efficient, and deeply awkward if you have to grab a beer with them afterward.
meetc@reddit
In a place where I worked before, the CFO stored a paper copy of backup credentials, one time use codes etc in a secure location. This would be one of the use cases if required.
xftwitch@reddit
During a merger I was asked by someone's assistant to revoke access to our CEO/GM. I wasn't a huge fan of his nor was he particularly friendly. I told the person asking me to revoke the access that I'd need something from HR or legal to do that. My phone range 15 minutes later. 30 min after that, he was gone.
GreatMyUsernamesFree@reddit
I've made the How-to-revoke-top-admins procedure before I resigned. There are sooo many unauthenticated services that rely heavily on relationships rather than account authentication. 3rd party vendor management portals and telecom services frequently maintain their own credentials not integrated with SSO or over-the-phone ID verification that doesn't check whether the employee is still employed with the customer. You need to have those listed and be prepared to contact them all quickly.
Happy_Kale888@reddit
I would have enjoyed revoking access for a couple of my old bosses :)
zupzupper@reddit
Few days before someone higher than them walks over and asks "Do you guys have access to all the systems such and such has?"
Few days later they pull them in a meeting with HR and someone walks over and says "drop what you're doing and revoke such and such's access"
223454@reddit
For all the problems with my last employer, this was one thing they did well. HR would notify my department manager that someone was getting terminated at a specific time. Our manager would arrange for one of us to be available to do it. They would usually just say something like "HR needs your help exactly at 5pm for a personnel issue." We knew what that meant, and knew to not talk about it until it was done. Right as the HR person was leaving their computer to go to the meeting room they would fire off the magic email with the name and instructions to terminate all access.
SecludedExtrovert@reddit
They get your successor to do it.
Mac-Gyver-1234@reddit
The way I saw it being handled before:
* Your manager and HR contact you physically at the desk, they pull you in a room asking you shall take your laptop with you
* They explain that in half an hour they will terminate employee XYZ. You job will be to disable the employees account, badges and access to all systems at exactly that time
* You are not allowed to leave the room for until the task was carried out and that person has left the building and left all company hardware they have with them that day
* Usually an hour later at lunch time there are SMS going forth and back about wtf happend
Another example from the financial industry:
* Access to all systems revoked at exactly 8m. Looks like an IT problem.
* At the badge scanner and entrance of the building HR will be waiting with physical security and pick the person in a side room where there are being explained that they are terminated effective immediately
223454@reddit
Your manager or HR will usually not even tell you who it is until they're in the meeting being fired. They leave that meeting and are immediately walked outside. Most places don't want a fired employee having access to the building, systems, or people. So when they're no longer employed, they're walked out. There isn't any awkwardness around the process of disabling accounts. Most IT people understand that it's just a part of the job, and not personal.
T_Thriller_T@reddit
This is so weird ans very, very American.
Unless someone fucked up completely, accesses are not removed before they are informed they are being let go.
And firings are rare enough that the "most places" does not necessarily hold true here - it is very normal to have multiple months of notice from the employer and unless the situation was very non-amicable, employers do not pay 3ish months of salary for someone who is not doing work.
ananix@reddit
Been doing sysadm in Europe for 30 years and its very common practice and they most definitely do pay 3months if you dont get any work meantime.
T_Thriller_T@reddit
This may be the point of it.
So far, I have inadvertently managed to always do IT in companies which do IT - software development, providers and the like. Or at least in the locations where these were the majority, together with other administrative staff .
C0rruptedAI@reddit
I mean... if you want an even more American take most people are let go Friday afternoon so that they have the weekend to cool off and pose less risk to the business and coworkers.
It's also different if you are fired 'for cause' and not just that you are being outsourced or lost a contract.
tehiota@reddit
Now, our system is integrated into the HRIS system so when HR terms them, their account dies immediately. This is the ideal way.
Otherwise, it’s just part of the job. Disabling colleagues and even senior management. There’s a level of trust and respect that needs to be given both ways to do the job right. Nothing personal, just business.
The_Syd@reddit
I have to remind myself it is just business all the time when disabling accounts. I have had close friends that I worked with that I had to revoke their access and it was hard, but I just kept telling myself that if I don't do it, they will still be out of a job and then I will too.
The only account I haven't been able to get rid of is for one of my coworkers that passed away. I still disabled it and removed any licensing from it, so it is useless, but I just haven't been able to bring myself to click delete on it. Maybe one day I will but I like how I think about him every time I see it.
TooOldForThis81@reddit
Best friend worked with me. He died in a bike accident, and that broke me. Going to work and seeing his empty desk was borderline unbearable, and having to interview someone to replace him was equally as hard.
UninvestedCuriosity@reddit
If anyone ever asks, tell them you were working on a disabled account retention policy that you never made it back to and it seemed like a good place to start. There's lots of reasons not to immediately delete accounts and just keep them disabled with high authorizations to enable again with clear valid reasons to do so. Mostly legal, but I do have a positive story to share about this as well.
I was able to get the okay to capture a bunch of photos of someone that passed for their family months later off their work account because of this policy with the right approvals and sensitive offer. Mostly conference selfies and such.
Some people close to the family were still struggling with the loss and I think the business recognized helping them do something kind would help. This was the idea floated beyond donation that seemed to be agreeable to everyone which was surprising to me but I was happy to retrieve. Staff also gathered any photos they had themselves to share. Took no time at all to put a thumb drive together.
Which just reminds us how such small acts can have big impacts if we are allowed to just be people once in a while.
The family sent a message through that it was one of the more compassionate acts surrounding the experience, that they never would have expected, and were very appreciative of the staff's conduct and empathy.
SuperGoodSpam@reddit
dude I lost someone recently and I haven't been able to talk to anyone about it and it's been eating me alive and this is the last place I expected to be reminded of that hahaha THANKS
gumbie_@reddit
Feel the second part of that hard. Recently had to cancel a phone line for the same reason. Hardest thing I've had to to in a while. I was the one that decided to cancel the line as I couldn't bring myself to reassign it to someone else
the_federation@reddit
I hope your HR department is better than my organs. We regularly receive LDW tickets from HR that aren't actual terminations, but they say they don't know what else to call it: e.g. a user transitioned from full-time to part-time so they submitted an LDW ticket for his last day working as full-time. This became an issue when his corporate phone was wiped by our MDM when we deactivated his account.
Or when they submitted an LDW for a user at the same time as an on-boarding ticket for that same user but with their married name. Apparently, she was just switching departments.
tehiota@reddit
*shrug* that's an HR problem, not an IT problem. That's one of the benefits of doing it this way. The same HRIS system that triggers offboarding workflow to disable their account also terminates their benefits and payroll so when they screw up, the IT account isn't the first or second thing that gets noticed. As I mentioned though, terminating an employee starts with the hiring manager, gets reviewed by HR for compliance, then triggers the workflow. Any screw ups are 2 person, cross department, screw ups, and one of those departments isn't IT. (unless it's an it person being term'd)
ovirto@reddit
For corporate accounts to get to corporate resources, email, etc. that’s fine. For production accounts that manage the services that your customers pay for, no. You can’t risk an HR system issue impacting production.
tehiota@reddit
In another reply I mentioned we don't use normal accounts, we use service principals that are managed by a PIM system that automatically rotates and updates passwords.
TommyVe@reddit
If all your systems are managed via ad or aad, I'm truly envious.
graph_worlok@reddit
Until somebody screws the pooch with a GPO and your backups can’t be reached… I wonder how he’s doing…
tehiota@reddit
Thanks. We use workday for HRIS and they have both ad and aad support depending on your needs and yes, it handles creation, disablement, and profile updates. It even handles upn/email address creation based on business rules with fallback.
Any other workday users not using this integration are surely missing out.
Odd_Television_7824@reddit
Not a single non AD system?
DNS vendors, cert vendors, MFA vendors, break glass accounts, root cloud admin accounts, etc?
TommyVe@reddit
Okay, that's not quite what I meant to convey.
At our place, there are so many bullshit legacy nonsense things that just can't be controlled this easily. That's the place my envy comes from.
RealAgent0@reddit
Uhhhhh... Not sure how I feel about HR having unilateral control like that even over high level IT.
When you say "Account" dies, you mean Disable, right?
Our one is similar-ish. ANY user logs a specific Service Request on FreshService and fills out the terminating user's Email Address. Sends two approval emails. One to HR, one to IT. Once both approvals are received, workflow triggers a PowerShell that disables the user in both AD and Entra ID and puts them in a particular OU in AD. After 30 days of being disabled, the account gets deleted.
However, there is a particular group of users that are "Excluded" from that automation. Two High Level managers in HR, Three High Level Managers in IT and one Executive.
They're excluded from this automation. A ticket still gets created but instead a note gets added to the ticket for Service Desk to raise it with their manager to know what to do with it.
The exclusions are tied to the job title in AD, not the UPNs. So even if they get replaced, the exclusion will also cover their replacements.
tehiota@reddit
Yes. Disable and we never re-use UPN or email.
The HR system has built in workflows and approvals. They already have access to PII info so there has to be a high level of trust somewhere. Nothing the system does can’t be undone but at least the responsibility of terming accounts lives with the employees manager initiating and off board process in HRIS that’s gets approved in HRIS before account disables.
RealAgent0@reddit
Uh, never re-using UPN or email sounds a bit annoying? Why do you have this in place? Also, how are you tracking if a UPN was previously used or not?
tehiota@reddit
UPN matches Email address always. It’s in place to enable re-hiring (which happens more often than not ) and maintain privacy of any retention policies where re-use of a upn might grant access to someone else’s data. Accounts have a matching employee id from workday that’s never reused.
ranger_dood@reddit
Make sure you have accounts that are not tied to this system.
SecondBestNameEver@reddit
Yes. This. Ways I've done this securely for a break glass account before is either the password is basically two parts and two different people have and they need to come together to each put in their part. Or for accounts that support MFA, one person has the password and another has the token on either an app or preferably a yubikey, or if there aren't two top technical people the tech person has the password and the yubikey second factor is stored in a safe by someone like head of finance or HR.
tehiota@reddit
We split the password between the operations team and the security team password vaults. That way it’s not limited to just 2 people and succession plans are built in with audit access to the passwords.
tehiota@reddit
Of course. Break glass accounts should be part of any identity system.
Opposite_Bag_7434@reddit
This is exactly what we do.
jmbpiano@reddit
It's not my intent to dis that as an effective strategy, but my mind immediately went to how a malicious admin could exploit it.
I can't help think what an effective tool that could be for a disgruntled system admin to maintain plausible deniability while installing a dead-man's switch into the network.
"Oh, I'd used my personal credentials to run a critical service the company ERP requires to function? Whoopsie."
tehiota@reddit
Insider threats are real in all departments including IT. That’s why security teams are separate than operations teams for audit purposes. Service principals are used rather than user accounts and those SPs get rotated. This all happens via Infrastructure as Code with an approval process and audit travel before entering CI/CD pipeline.
Turbojelly@reddit
There should be a set of admin accounts used for specific things and the global "I have the power" account(s) need to be locked up to be used in emergancy only.
So you log into your computer with your work account, then you log into AD with your AD account and disable the higher ups multiple accounts.
HeligKo@reddit
Everywhere I have worked, notably large organizations, IT didn't handle this. HR and their management revoked access through an offboarding process that triggered automation that handled the rest. IT involvement was/is maintaining the technology that allows the business to handle this.
Dabnician@reddit
The guy that is the boss of the sr admin usually does this
wraithfive@reddit
Automated systems should remove access at the moment of termination in the HR systems.
BemusedBengal@reddit
Are those "automated systems" in the room with us right now?
kirashi3@reddit
Yes. In fact, the automation is coming from inside your walls...
notHooptieJ@reddit
having been the guy.. the guy immediately below them.
Head of IT was let go; i was #2.
C suite and HR vultures circling you and an exec's laptop as you use the envelope to do the deed and promote yourself.
its super uncomfortable, you dont get to keep the job, you likely end up interviewing your bosses replacement.
cobalt-jam88@reddit
In fintech you often pre-stage the revocation before the meeting happens. The termination meeting is 30 minutes, and during that window someone on the infra side is rotating Vault leases, cycling API tokens for service accounts, and revoking SSH certs, not just flipping an AD account. Auditors want a timestamped record showing access was removed within a defined SLA, so "we disabled his SSO" isn't enough if he also had standing credentials in three other systems. The awkwardness is irrelevant once you've got a runbook for it.
Sp00nD00d@reddit
CIO after a merger, it was basically no different than anyone else.
Cyberhwk@reddit
There should never just be a single person at the top. You ask one of the other ones.
apathyzeal@reddit
This is the correct answer. large decisions, too, should require multiple people authorizing it.
hkusp45css@reddit
In the finance sector, we refer to this as "dual control" and it's used in tons of different functions.
It's the single best non-technical security control one can put in place, in my opinion.
againstbetterjudgmnt@reddit
TPI, or two person integrity, is the common nomenclature I hear.
EmperorGeek@reddit
I’ve always seen it referred to as Four Eyes Authorization. Requires two people to sign off on certain actions.
Opposite_Bag_7434@reddit
Even outside the financial sector, any enterprise that is public or over a certain size absolutely requires very careful and appropriate governance.
apathyzeal@reddit
It's in a number of different compliance frameworks.
ImperatorKon@reddit
Practically speaking, at my last employer, several people on the IT team would have enough access to request the highest level of privilege, and a second member of the team would need to approve. So a minimum of two people needed to disable the access of anyone in the firm, regardless of their actual level of access.
So if the head of HR came to us and said we are letting your boss, or your boss's boss, go today, can you handle removing the access, we would be able to.
DisplayAlternative36@reddit
There should also always be a break glass account that exists for special circumstances and it's permissions are the highest possible.
So even if the whole department was going to get axed it would be available for use in that case. It's hopefully going to send out a lot of alerts when it gets used... But it is what it is.
ImperatorKon@reddit
Yep, explicit best practice in the Microsoft universe. But someone from outside the department would need to know and have access. Practically speaking if a whole department was to be let go they would probably have the department head take care of all this stuff, or external consultants.
DisplayAlternative36@reddit
Yea keeping an account specifically for C-suite level person to handle these kinds of tricky situations. Always terrifying cuz they have access to something they usually have no business using. But at least having it so they can provide to a close out consultant or whatever is handy.
hkusp45css@reddit
Funny, we require concurrence to stand stuff up, we get rid of stuff mostly unilaterally.
Lonely-Abalone-5104@reddit
Except companies are cheap
Opposite_Bag_7434@reddit
Some are. We stopped being cheap when we started seeing much bigger numbers.
Aeterice@reddit
Exactly, and in case that or those others are unavailable a lower tier admin who’s given access by upper management via breakglass accounts
Putrid_Fun2192@reddit
Working IT during lockdown when my employer laid off over 1200 of the \~1700 employees was ROUGH. Plenty of big fish above my rank were laid off. It was a team effort to change account managers and revoke accesses.
Regen89@reddit
CISO, and for everyone else including the CISO, your top IAM OG.
CAMx264x@reddit
We had to remove a VP’s access and it was 6 people with fingers on the mouse ready to start removing access as soon as they were pulled into their meeting.
MentalSewage@reddit
Their manager/director. If they are the tip top, somebody under them.
Source: I revoked access to the guy that trained me a week after he made the call to hire me. Twice, actually, in my career.
crankysysadmin@reddit
I had to fire the senior sysadmin responsible for AD. The CISO and I called a more junior AD admin into a meeting at 9 am. I explained to him that the senior AD admin was about to be terminated and he would have to push the button when I messaged the CISO and they both needed to stay in there. The CISO's job was to make sure the sysadmin couldn't communicate with anyone until I was done.
I then called the senior sysadmin into a meeting with HR and we fired him, and while keeping him away from his computer I messaged the CISO who made sure the other sysadmin locked the main admin out.
blbd@reddit
Damn what did the admin do?
crankysysadmin@reddit
repeatedly insubordinate and was not reliably taking care of mission critical systems. final straw was disappearing during an outage
blbd@reddit
Yikes
Eddit13@reddit
God. And yes he wants a ticket.
Significant-Key-762@reddit
I was top tier admin. HR terminated me and my immediate subordinate cut me off and shut me out on their instructions.
Sliffer21@reddit
The CEO of course with his Global Admin daily driver account of course!
FireCyber88@reddit
The other top of chain sysadmins
Roquer@reddit
I've given a few retiring coworkers the option to use their admin to disable their own account on their last day. Most of them thoroughly enjoyed it.
ihaxr@reddit
Coworker and I weren't sure if you could disable your own account... It seems like a very stupid thing to allow.
Needless to say, he had to re-enable my account after curiosity got the better of me.
Loudergood@reddit
When our CTO left a few years ago, it was me(a Sr admin) when I got let go after he came back (budget layoffs) he shut me offm
DonL314@reddit
Worked for a smaller company, 40 ppl. One afternoon, boss came in, told me my closest colleague and good friend would be laid off the following day and that I should disable his access at 10 when he would be called to a meeting.
That was an awful, long night for me but I had to be professional about it and I couldn't talk to my friend until after.
not-at-all-unique@reddit
You don’t get much notice.
Usually you’re spoken to by the HR/manager that will fire a co-worker whilst they are on the way to the meeting.
The one time I’ve dealt with this, the manager left the HR meeting to request the account suspension.
It’s not likely that you get a lot more notice than the guy about to be fired, because they won’t want you to tip off the guy.
Ticket logged with high priority, and escalation via management chain.
It’s that simple,
You nuke their access because you’re told to, - just like they’d nuke yours, it’s a job, it’s not personal.
There is no one big admin account. Always more than one account, or recovery options will exist.
Opposite_Bag_7434@reddit
Not awkward. I’ve prepped my team for when I exit, likely by retirement but I am completely transparent about this very need.
I actually had to make sure HR and my boss had access to our emergency credential store before the pandemic, and it came in handy. I then had to be the one that let them know I needed to be locked out. Hundred million dollar company but very small IT staff.
Where I am now we have automated the entire process. So if I get sacked they really don’t need to do much. A few root level accesses that I would hand over carefully. And extremely professionally.
I have had to sack other high level sysadmins that did pose a risk, but this seems pretty rare at this level. I’ve also had terminate access for multiple C-suite roles. But this is a different matter.
chut93@reddit
I would be what you call a "top dog" at my workplace. It honestly gives me extreme anxiety being the only one with the level of access I have. I've actually made it a goal to make sure there is always at least one other person who has the level of access I do.
Let me tell you, it's such a stress relief knowing that I can actually take a vacation and not need to worry about having to work during it because some C level said it needs fixed now and I'm the only one who can do it.
I haven't taken a real vacation in such a long time because of it. I'm finally at a point where I'm beginning to plan one with my wife for a whole month. I have no doubt my guys will be able to take care of everything well I'm gone.
Never again will I work for a company where I won't have an equal in some capacity. not worth the stress.
Spitcat@reddit
Anyone senior enough to be in the position like that would have Atleast a 3 month notice period if not longer, it’s a long ass process.
If it’s a “surprise” then there is months of work to be done both before and after
jasondbk@reddit
Boss: we just fired xyz and you don’t have clearance to disable their account. Just try and log on as xyz until it locks the account for bad passwords.
NotYetReadyToRetire@reddit
In my case, I was the senior administrator, and I knew I was going to be in the upcoming round of layoffs. Just before going to the meeting where I expected to be laid off, I had my assistant disable my account. Worst case, if I was wrong, I'd have them reenable my account afterward. I was right, so my account being disabled before the meeting meant any issues afterward weren't my fault or my problem.
And since I was the only one who knew everything about all of their systems, there were many problems; some they lived with, others they paid quite a bit extra for my assistance. Oh, well, that's the price you pay when you lay off the guy who was there when the building was built, the cabling was run, who punched down the phones and Ethernet jacks, and built the servers and many of the user PCs while keeping those servers running 24/7/363 (Thanksgiving and Christmas didn't have shifts working).
Pristine_Curve@reddit
A few times. It's not awkward or dramatic. Just follow the normal process for people with sensitive access.
Master-IT-All@reddit
I do it. I don't care.
Trust_8067@reddit
Usually in IT, your last day is your last day. Meaning, if you put your 2 weeks notice in, HR will be reaching out to someone with access to disable all their admin accounts during lunch, and they'll be escorted out that afternoon.
Other than a PIP, same thing when you're let go. You find out when it's time to make the change.
BwanaPC@reddit
I'm "at the top" but I've created processes to remove access for every account org wide upon termination. The HRIS is tied into processes that disable access for every user as needed.
awetsasquatch@reddit
I've turned off access for a couple of people I considered friends, it sucks but it's part of the job. I've also shut access off for people I've never liked - theres a mild schadenfreude that happens lol
Mister_Brevity@reddit
First, as a professional you handle things professionally. Nothing you do can reverse what has been set in motion. Nothing you did was (probably) the entire reason for the action being taken. It can be uncomfortable, that is a normal human reaction.
Second, proper setup and documentation should mean there are termination processes in place. Find the plan, follow the plan, document everything.
Soggy-Attempt@reddit
Their boss
che-che-chester@reddit
I had to revoke our sysadmin’s access when I was a junior sysadmin. I also had to put his stuff in a box and carry it up to the boardroom where he was waiting after being fired. Awkward? A little. But he was such an asshole that I volunteered to take his box up.
Eli_eve@reddit
I‘ve never worked at a place that had only a single person with admin access to systems. Nor have I ever worked at a place without a “in case of emergency, break glass” admin account.
T_Thriller_T@reddit
I had many who did not have the latter, or at least not for all systems - because they had a good set of high level admins.
TheGenericUser0815@reddit
Yes, I once needed to revoke all permissions for a CEO of a bank I worked for. It had to be done IMMEDIATELY. At that time I had no clue why, that came out later.
T_Thriller_T@reddit
Those are the few awkward cases: when someone/something completely clashed, or their is criminal behaviour involved.
But I feel those are also awkward if it is "Greta from accounting". More the nature of the case then the position of the person.
WhateverHowever1337@reddit (OP)
Mind to share what happened?
TheGenericUser0815@reddit
A superviser board meeting escalated completely. The CEO wanted a new contract with much more money and control, but the board wouldn't agree. The CEO went bonkers and was removed from the meeting by the security.
_haha_oh_wow_@reddit
Typically that would be the security team (IT security, not physical security, that's a different department, which may also be involved in firings).
IceCubicle99@reddit
At my last gig, I had to terminate my own accounts because I had the highest level of access.
T_Thriller_T@reddit
I think I terminated / lowered access for my last job for myself.
Not on all systems, but one certain one I was technically taking care of as subject matter exper, but also helped with user handling sue to the admins really having enough important stuff to do.
But at least I didn't need to. Just felt right as a last step.
Expensive_Plant_9530@reddit
That would typically be the sysadmin’s boss, manager of IT.
Otherwise another top level sysadmin would be brought in the loop. Or an MSP.
zer04ll@reddit
Who ever has access to sign users out and lock profiles. Some systems are automated by HR so if they hit terminate its automatic. Sometimes you hire contractors to do it, yes firing people is a job some folks have. Many IT system are setup so that a help desk can lock a profile or change password so if their boss tells them do it then they can. This is why certain admin creds are not given to anyone like the actual domain admin password that is created when setting up a domain controller. Everytime I have had to do it, a report of what access they have is made to confirm it wont break key systems and then typically at the end of the day they would have me lock the user account while the person being fired was in their termination meeting. I have also done a hostile one where the dude litterly threw his hand in the air and said I fucking quit and my boss just gave me the do it now look.
T_Thriller_T@reddit
If a top chain admin, dev or anything is FIRED it's pretty much always awkward.
Either openly awkward, due to their having been a dispute or sometimes "simple" layoffs which staff typically do not agree with, or awkward now because something went pretty wrong.
If a person leaves, even suddenly, it's very much business as usual.
There should always be at least two people with high enough access for this kind of administrative work, so it's just work.
odinsdi@reddit
I offboarded the SVP that hired me like 4 weeks into my job. He came in and gave me his badge, keys, and laptop. He was a cool dude.
HR tells whoever in the Systems/IT/whatever department and you are supposed to keep quiet about it. It sucks sometimes, but that's a part of the job.
Calyx76@reddit
Yes, and I had another admin read it and make sure I did everything. They signed off that it was completed, I signed off that I did it. And we sent it to HR to continue it's journey.
jrwnetwork@reddit
Yes, several times. HR Director would let me know ahead of time and I would get a call once they approached the person and would disable while they were being notified.
jimicus@reddit
Depending on the organisation layout, there should always be at least two people with authority to disable any account they damn well like. Up to and including the guy at the top.
(In practical terms, it's seldom an issue because relatively few organisations have permissions that tightly structured. Oh, sure, you might have a bunch of people at different places in the pecking order, but the admin permissions are nowhere near as granular).
TopherBrink19@reddit
Our off boarding procedure was so bad I literally revoked my own access to most systems.
arvidsem@reddit
I maintain a "hit by a bus" file that should be plenty for someone to revoke/transfer my access accounts. But I'm sure that I would have to remind them where it is if they were letting me go.
No-Algae-7437@reddit
There should be a break glass account that has the permissions and access to create a new lead admin just for the "bus factor"
CommanderApaul@reddit
We have auto provision/de-provision through a custom connector between our internal billing and AD. Order the AD service, account provisions and licenses for O365 at the next hourly sync. Cancel their AD account service, it nukes the account at the next hourly sync and kicks off ediscovery processes, and they can submit orders in advance with an effective date. It's an almost entirely hands-off process.
We still manually handle sensitive terms, as the identity SME that's usually on me. It's part of the job and it always sucks, but I think that lets me know I still have a soul.
AutomaticGrape9263@reddit
You wouldn't dare
Velvet_Samurai@reddit
I've only had to do this once. We had been talking about it for a couple of days. We're a small team and I was trying to talk my boss out of it but he said it was the right thing to do.
So we just stayed in text contact up until the second it was happening. I got a text that they were walking with him to HR. That's the moment I changed all of his passwords. Was not awkward for me because I didn't have to fire him.
I have seen several VP's get fired this way. Wasn't quite as big of a deal because VP's don't have access to jack shit.
cjcox4@reddit
I have been involved in departures of people above me. It is difficult.
However, even more so if I held the "info" that would be used in those terminations. So, at least for me, that's the scariest, because the person involved could terminate you when you "might" (emphasis) have important data that "might" (emphasis) lead to their own termination. Sort of whitleblower like things.
Bonus content for a worst case (something to avoid):
You never want "solo" auth islands. Even if there's an "extra step" for underlings, there has to be some "way" to prevent access and, even, knowledge that is critical to operations from departure.
So, that could be other sys admins, could be a different organzation, possibly both. But "all stop" because of a departure? No.
One-Economics-9306@reddit
I've been doing this close to 20 years. HR or VP will come into the office and shut the door. Then you start working your way thru systems they have access to and rotating critical passwords. If all the accounts I've offboarded the Nuns at a former Catholic College was the hardest. When they're doing cutbacks and they firing the Nuns it shows they truly don't care about anyone at organization. They ceased operations within a year after that. Someone had to stay behind and lock up.
groundhogcow@reddit
I work for money and I listen to the person writing the checks even if they are wrong.
I do tell them when they are wrong, but I do it.
It would take a lot to lock me out of any system I have administrated. I have never tried to get back into any of them so I am not sure of how good a job they have done.
Acheronian_Rose@reddit
in my experiences, because of how my company handles situations like this, its never a surprise. We do everything we can to make it work out for them, but sometimes its just not the right fit.
the problem isnt awkwardness, its making sure any and all access is revoked so no damage, accidental or intentional, can be done.
siedenburg2@reddit
Don't let it be awkward, in such a situation most of the time the person let go know that it happens before, or at least tought that it will happen, do your job (to not be the next) and be as friendly as you normally are with the person.
Depending on the reason why the person was fired perhaps there is even a grace period, use that time to get as much knowledge as possible, you should not ask the person after that about anything.
xendr0me@reddit
I mean, you do your job, your loyalty lies with the company since they are the one providing the paycheck. It's pretty simple.