Exit procedures and permission removal

Lead:

Andrew Carey

Important Notice:

E-mail exit procedures must be followed prior for departing employees!

Description:

Tools have been developed so that, when a user leaves IFAS, an OU Admin may easily do the following for persons within their OU:

• remove the user from all “. IFAS” UFAD groups,
• remove the user from all local groups on IFAS machines,
• Note: the following were originally automated, but concerns over coordination with UF have postponed their implementation. The following procedures can be requested of IFAS IT/SA, but certain procedures must first be accomplished. Please see the E-Mail exit procedures documentation for details on what needs to be done to handle e-mail for exiting employees.
  • forward their IFAS email addresses to Gatorlink for 1 year,
  • and backup their mailbox and place in \\ad.ufl.edu\IFAS\Private\PST at the time of the forward. This share will be secured to Unit-Admins only.

The process should also include letting your users who are leaving know how to access their Gatorlink email (or forward that to another location via the Modify link at http://gatorlink.ufl.edu).

Once the exit and permission removal processes are completed, you may have your unit directory liaison remove the "Network Managed By" relation for the user, moving them out of IFAS.

Permission reports:

Reporting tools have been established to assist in determining the permissions currently in effect throughout IFAS.

The "Pending Removal" Group:

The group “. IFAS-USERS PENDING REMOVAL” has been created at ad.ufl.edu/UF/Departments/IFAS/-Central-IT/Groups/Admin Groups/. This group has the same deny rights as the “. IFAS-DISABLE IFAS ACCESS” group (i.e., deny logon rights are assigned for users in this group to all IFAS computers via GPO). This group could be automatically populated based on the results of the quarterly questionable users query; and it was intended that IFAS OU admins would have access to remove users from this group to restore access for anyone who was inadvertently included in the group. Unfortunately, progress on approving this process halted when Chris Hughes was relieved of management duties for this project. Consequently, the ICC and IFAS administration have never considered this process for approval and the group has never been populated.

Permission removal details:

There is website, http://itsa.ifas.ufl.edu/remperms that is secured to IFAS OU admins. This site will allow the removal of most IFAS permissions for a user, including membership in “. IFAS” groups, membership in local groups. Originally these processes included the backup and removal of the Exchange mailbox but that has now been removed. All removed permissions are logged as is the admin requesting the removal. In addition to this removal, the Network Managed By relationship will need to be removed manually for the user through the my.ufl.edu interface.

Originally there was a computer startup script for all machines in IFAS, “\\ad.ufl.edu\netlogon\IFAS\ComputerStartup.vbe”, that exported the local group memberships from machines. In late September of 2008 this script was removed because its role has been taken over by LanSweeper.

A job is scheduled to run that will remove local group memberships that have been requested by OU admins until the permission is removed. If the machine is not online, the record is not removed. This process runs continually with a 15 minute pause between completed runs. All successful deletions are logged.

A job is scheduled to run that will query for UFAD groups that OU admins have requested to be removed. This process runs continually with a 1 minute pause between completed runs. All successful deletions are logged.

Since people were not interested in removing Domain Users from the Users group of machine, this will mean that physical security of machine will be required to prevent ex-IFAS employees from logging into machines. In addition, if shares are secured using non “. IFAS” groups or autogroups, these shares may still be accessible by ex-employees. It is important to review your physical security and share permissions to ensure this is not a problem for your resources.

There will also be several processes that will run to generate reports of people in Local groups and “. IFAS” groups who are no longer in the IFAS OU. These reports will be useful in identifying people who may have slipped through the cracks. Another report will include people who have not logged into UFAD in the last 60 days.

These processes and procedures may undergo some additional refinement in the upcoming weeks to ensure they meet IFAS goals for the removal of permissions. Additional functionality is planned including reporting for OU admins, cleanup processes for the source data to remove machines that are no longer valid, and the removal of forwards after one year.

In case of a security incident
or an unfriendly termination
of an IFAS employee:

Please contact the IFAS ISM. There is a group named “. IFAS-DISABLE IFAS ACCESS” which will immediately remove all access to all IFAS resources, until the access can be removed properly. This is for emergency usage only, it is not for the normal process of removing permissions when someone leaves IFAS.