Client Area · 0114 299 4050

Protecting IT Systems from Exiting Staff

IT Blog from Resolve, IT Experts in Sheffield Protecting IT Systems from Exiting Staff
Staff turnover is inevitable but you need to protect your IT systems. Peter outlines how to use Active Directory and Office 365 to oversee outgoing staff.

You’re fired!

All companies have staff turnover, and whether you breathe a sigh of relief or mourn your loss, the impact on your IT systems is the same: you need to safe-guard your data, protect your systems and ensure licence compliance without undue cost.

What do you do at the moment?



When a member of staff clears their desk and moves on to pastures new, a lot of people may think that everything is finalised just by having them leave their keys behind as they exit the building. This is rarely the case; they’ll also need to leave their keys behind for your IT systems. Obviously this means their passwords, but these aren’t something physical that can be left on their keyboard.

Do you simply allow them to give their passwords to a colleague?



With the best will in the world, and the best IT systems, it is still too easy for important documents to be kept on a user’s computer desktop, rather than the pertinent shared folder. There has been many a cry – days, weeks, months or even years – after someone has left for that really important document that is needed right now or there’ll be trouble.

Do you just ask their password holder to log in to the leaver’s machine and hope they can find it?



As with files, key pieces of information might also only reside in the leaver’s mailbox. Customers and partners may also email the ex-employee in the first instance, and may not know that they’ve left, or who to contact now that they have. Most email systems also need a licence for each mailbox or user.

How do you keep their emails accessible whilst also freeing up their licence?



If the above sounds familiar, which it will be for far too many businesses, what should you be doing?  Fortunately, if you use Microsoft’s Office 365 cloud email system with an Active Directory domain, then the answer is – thankfully – very simple. Most of this will also apply to on premise mail servers, especially Exchange 2013.

These steps include relevant PowerShell scripts. Ensure you login to Office 365, through PowerShell prior to running them (
Hint: Watch for sections of code inside < > as you’ll need to enter information.



It doesn’t actually matter if they have left the building or not, at some point you should stop their access to your systems. As soon as you’re ready, here’s what you do:

1. Change their logon password immediately. This will prevent them logging into any other computer on their way out.
Set-ADAccountPassword -Identity <Leaver's SamAccountName> -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "Password1" -Force)

2. Sync their new password to Office 365. You don’t want them sending that ‘farewell’ email to all and sundry.
Import-Module DirSync


Dude, where’s my month end report <insert name here> was working on?

So the employee has left and they can no longer access their emails and files, but business continues and you need those files. In a correctly setup Domain environment, their documents, desktop and other personal folders will be stored on the main file server. Granting access to a chosen person is easy, as follows:

1. Grant the chosen user at least Read & Execute permission to the ex-employee’s root folder, then propagate that through to all subfolders.

2. On that user’s computer, create a desktop shortcut to the above network share location.

3. Instruct this user to move all relevant documents into the shared data structure for future reference.

4. Be aware that data left behind might be subject to deletion at a later date.

5. Contemplate cold-storage for archival storage of old data, saving space on live filesystems and backups


You’ve got mail, but we can’t see it!

So you’ve sorted their files, but what about all those emails you just know are still coming in and you really need the ex’s team leader to pick them up? This is where one of the benefits of Office 365 comes in; unlimited, free shared mailboxes:

1. Back in the Office 365 Exchange admin portal, disable OWA for Devices, Exchange ActiveSync & Outlook on the web.
Set-CASMailbox -Identity <Leaver's Email> -ActiveSyncEnabled $False –ActiveSyncAllowedDeviceIDs:$null -OWAforDevicesEnabled $false -OWAEnabled $false

2. Convert the mailbox from personal to shared.
Set-Mailbox -Identity <Leaver's Email> -Type Shared

3. Grant permissions to the shared mailbox to anyone who needs access to old and new emails alike.
Add-MailboxPermission -Identity <Leaver's Email> -User <Designated User's email> -AccessRights FullAccess -InheritanceType All

4. Use PowerShell to set up an Out of Office to ensure people emailing in know that the person has left, and to re-direct emails as appropriate.
Set-Mailboxautoreplyconfiguration -Identity <Leaver's Email> -AutoDeclineFutureRequestsWhenOOF:$False -AutoReplyState Enabled -ExternalMessage "<Leaver's Name> no longer works for <Company>.  For ongoing business please email <Designated User> at <Designated User's email>.  Please email <generic company email> for all other enquires." -InternalMessage "For ongoing business please contact <Destination User>."


Licence to kill

Now that you have access to their files and emails, there’s one last thing to do before you can rest easy: terminate licences to remain in compliance. For Office 365 this will save you money every month, for server access it will free up an already paid for User CAL for the next new employee.

1. Set the user account to Disabled.
Disable-ADAccount -Identity <Leaver's SamAccountName>

2. Move it to a Disabled User Accounts OU.
Move-ADObject -Identity <Leaver's SamAccountName> -TargetPath "OU=<Disabled Accounts OU>,DC=<Domain>,DC=<Domain suffix>"

3. In Office 365 admin portal, remove any applied licences, then manually reduce the numbers.
Get-MsolUser -UserPrincipalName <Leaver's Email>  | % { $_.Licenses } | Select AccountSkuId | foreach {Set-MsolUserLicense -UserPrincipalName <Leaver's Email> -RemoveLicenses $_.AccountSkuId }


Mighty Morphin PowerShellers

Many of the above steps are easily scripted in PowerShell. Declare the function, combine the scripts, tweak the variables and it becomes possible to batch process a whole group of leavers. Have fun!


< Back to Blog

Related Posts:


Please leave a comment

Allowed tags: <b><i><br>

emergency it response : 0114 299 4050
View PAYG Options