User management is the internal I.T process that governs how you handle the on-boarding and the off-boarding of users and also looks at how permissions access requests, file structure permissions and group memberships are handled and all other fundamentals around basic user management. This is one of those vital business processes that must be taken seriously to ensure consistency and compliance. Every organisation is different and they all have their own procedures and processes regarding user management so this blog is aimed as just a general overview that will often relate to everybody when it comes to user management.
On-boarding new users
When onboarding a new user there should always be a process or checklist attached to the way you handle the steps required to allow for consistency in creating new users and ensure that steps are not missed along the way. By missing steps within this process can result in major consequences such as the user becoming less productive in their role through to creating extra work for your I.T help desk forcing the team to finish steps that were not completed or incorrectly completed. In most cases, I have found the Onboarding process to be more in-depth than the off-boarding but the off-boarding process is actually a more critical process because you then have security and compliance issues but we will cover that later on.
During the onboarding process, it is important to try and get HR involved. I.T and HR should actually work closely together through most processes involving users. I.T should never do anything unless it comes from HR first and HR should ultimately approve each process when it comes to user management. In turn, HR will often turn to I.T to ensure that their staff have the correct tools to perform their role and often ask for recommendations on how to improve systems and processes. Some organisations actually use their HR department to take some workload away from their I.T department such as managing users titles, manager and even phone numbers through AD. An example of a tool that can be used here is “AD Manager Plus” which can be set up in a way to allow an HR staff member access to a GUI or web interface and have restricted access to change only these fields. This tool also has a great reporting feature and can also perform a level of automation so if a user changes roles it will automatically change the user’s group memberships and security access levels.
HR will be responsible for starting the on-boarding process by sending through a new user form with all the details required such as role, groups or access required. The new user is then created in the active directory accordingly. The next step in the I.T process is to usually set up an email account for the user.
Adding users to security groups to provide file access is an important step in the process and must be done right. We should always want to use security groups to provide access to resources and never should we give a single-user permission to anything. It doesn’t matter if you need to create a group and populate it with just one user. Permissions should always be set using groups and when creating security groups try and make sure you put in a description in each group. This is just an extra step but goes a long way in the log run when understanding what groups perform what role.
The way you structure your active directory when it is first implemented is important when managing your users. Structure your organisation units either by department or locations. If you are a big organisation I would do both, by location and then by department. This helps when using group policy and assigning different user policies to different OUs that require different settings. Another step you can take to assist in the creation of uses can be to create user template accounts for each role that you have at your organisation. These templates can have pre-populated group memberships, address details and title details to save you heaps of time manually entering this data.
Inventory and asset management is one of those steps that you will often find in the on-boarding and off-boarding processes. This ensures that the user has the right gear to perform their role. Asset management is critical IS process and capturing this data at these stages ensures that the data is always kept up to date and helps other ITIL service desk processes such as incident management, problem management and change management to name a few.
Most systems these days and you’ll find most systems that you have implemented on your network whether they be on-premise or cloud-based will have the option to use LDAP or Single sign-on integration. My advice is where possible try and use this so if a user changes their password it will change on all systems at the same time. This will save you heaps of time if a user starts you do not need to set up accounts on all of your individual systems and when a user leaves it will be as easy as disabling one account rather than numerous accounts. Let’s face it the fewer passwords a user has to remember the less likely they are to call the help desk for assistance logging in. Take the time and work with your vendors to implement LDAP and single sign-on where possible.
When a new user starts, often telephony will need to set up and should be included on your checklist for onboarding users. This will include setting up a desk phone and mobile phone if needed. I have seen this step on every onboarding checklist I have come across but I recommend ensuring that if there are any contact lists that need to be updated or if there are any admin staff that need to be updated of these new numbers then make sure that this is also on your checklist.
A small step that is usually overlooked on your onboarding checklist but you should always remember is to make sure you update the printer can to email address books. You will be surprised how often users actually require the use of the scan to email function and not updating the address book will either annoy the user by forcing them to manually enter their address or create an extra help desk ticket that can be avoided.
Lastly, the I.T department will be responsible for the user’s induction and basic training when they start. This can be a simple as going through the I.T support process and how to contact the I.T department through to pointing out their map drives, printers that are installed and some of the core business systems that are used.
Taking the time and energy into training the user and giving them the tools and knowledge when they start will ultimately give the user a better onboarding experience and allow them to start at the organisation on the right foot. While the off-boarding process can be important when it comes to security and compliance the on-boarding process is equally important to ensure the user has a smooth and seamless transition as an employee with the company and also preventing less work in the end saving tickets that can be raised after they start.
User management can be as easy or as hard as wish to make it. Ultimately the way you set up your AD and group policies will help immensely with the management of your users and providing and denying access to resources. The implementation of automation can also be helpful if there is often movement in your employee’s roles and titles. When a user changes roles you can set up automation so that the security groups will change automatically. You can also use group policy for different OUs and automate tasks such as mapping network drives and installing printers according to OU.
Utilise a password policy and make sure that these are enforced. Password policies are getting even more strict and most organisations now use as a minimum – require 8 characters, alphanumeric, a special character, passwords to be changed every 3 months and also implement two-factor authentication with some of their systems.
Managing users also involves managing how the users will use the systems. You can use file resource manager on your file servers to set up and manage quotas on users home folders. You can also use the resource management tool for reporting on duplicate files on your file server and find out who are the users that are at most fault for duplicate files.
It’s important to make sure you are keeping your eye on your users to catch those who use the systems incorrectly and against company policy. If you find a user that is incorrectly using the systems provided to them then you should always collect a report on this usage and always give the user one warning. The warning can often be a quiet word with the user about the infringement but always give a technical and reasonable reason behind why they are not to use the system. This first warning should also be in writing so that you have a record of the correspondence. Only one warning is usually needed here in my opinion. The next time the user performs the same task that is prohibited it is important to be ruthless and take this reporting or evidence to their manager. When it comes to the incorrect usage of the systems that could ultimately result in more work for you then your highest priority should be the I.T and the systems.
As mentioned earlier the Off-boarding is a vital business process that should be taken seriously due to security and compliance issues. The process is much like the onboarding process in reverse but can often be shorter. As with all user management process, they should be instigated by the HR department. Even in the event of a user being let go and you receive word from their manager to disable immediately, I would still not doing anything with that unless it comes from HR first hand.
There should be a checklist associated with the off boarding process as you do with the on-boarding process. The first thing you should do is change the user’s password and make sure it is something completely random that I.T has never used before. Maybe use a generic password that is slightly changed with the user’s initial as a prefix. It doesn’t matter if you leave the account enabled at first. If you are using Single sign-on and LDAP integrations for many of your systems this will immediately boot them from all of your systems anyway.
When it comes to the user’s mailbox I would always hide the user’s mailbox from the address book and work with the user’s manager and set up whether or not someone will require access to this mailbox or should there be a forward set. If you are using Office 365 you can select an option to put a legal hold on the mailbox which will essentially preserve the data in the mailbox from that time in case the user decides to go in and start deleting important emails. If emails have been deleted then you can also go and restore all hard deleted items from their mailbox through the console. Another step you can take follow is to log in and place an out of office on the user’s mailbox to let everyone know that this user does not belong to the organisation anymore and alternative contact details.
The next step when decommissioning the AD account is to remove the user from all group memberships. As a practice, I can suggest creating a separate group called inactive users. That way when you remove the user from all groups and you get that dreaded message that the user needs to be a member of at least one group, you can keep them within this group instead of the standard domain users groups it defaults to. The domain users group can contain some inherited rights that users should not have. After you have completed the removal of the group membership, move the user to a different OU called inactive users.
Don’t forget to remove users from Printers address books. It’s good practice to ensure that this is done and if not done can look poorly on the I.T department if other users see ex-employees still on the systems even if it just a printer address book.
Last and probably one of the most important steps is archival of users data. This will often include the users home directory, remote desktop profile or roaming profile data, mobile phone data/ photos and also a good idea to log into the users PC and archive that data as well.
User management is one of those vital business processes that must be taken seriously to ensure consistency and compliance. Every organisation is different and will have its own procedures and processes regarding the management of users. This blog will hopefully give you a general guide on some things to think about when it comes to user onboarding, off-boarding and how each I.T department can go out approaching managing users on their network