Laid off employees, particularly disgruntled ones who may have had access to key corporate repositories, can threaten an organization. IT managers need global knowledge -- from knowing the enterprise directories and extranet directories and the location of repositories, to knowing the people in charge of directory access and which ones have super user privileges.
Contingency planningPerkins told managers to function as if they were managing through a disaster. Now is the time to choose new people to have administrator privileges, he said. "You have to know your stuff, know your people, know how to prioritize the use of directories and protect the key access points," he said. Perkins suggests taking the following steps:
- Create a super user management process. Allocate new privileges and new rights to new people and shut down access to former employees.
- Re-evaluate the role of the directory and the automated account workflow. Make sure you know where the directory is being used during new account creation or during the retirement of an account.
- Know the location of your current organizational assets that are related to assets and maintenance. You may have a good idea of where things are in the data center but not when you fan out into the wider enterprise. Audit your identity assets.
- Assess the relationship between the extranet directory and the enterprise directory so you can determine the level of synchronization. Hackers don't take a holiday. There could be a threat during the downturn, and the links between the inside and outside will be at risk. Make sure it's secure.
- Know what brands and versions of administration tools are available and how they work.
Don't deleteDuring a corporate downsizing, don't delete accounts. Disable them instead, said Jeremy Moskowitz, principal at GPanswers.com, a Group Policy trainer based in Philadelphia.
"If you delete an account, it's a long road to getting access rights for the next person who may take over," Moskowitz said. "When you are downsizing, someone still has to do that job in the interim. By deleting an account you are losing the link to everything that person was doing."
Disable the account temporarily, he said, and find out who is taking over the job role and then give the account a new name and password. "It may not be a good long-term strategy, but it's a good interim strategy for business continuity," he said. "Life has to go on for those roles and responsibilities."
In some cases, a company has to lay off desktop support staff and then change the local administrator passwords on the machines. Moskowitz said IT managers should know there is a new, easy-to-automate method of resetting desktop administrator permissions in Group Policy.