Section 10.5. Former Employees Keep Accessing the Server


10.5. Former Employees Keep Accessing the Server

As an administrator, you'll have to deal with employee turnover. You know how to add accounts for new employees. But when current employees leave the organization, there's more to do. You have to make sure important emails don't get lost, files are transferred to people who know what to do with them, and the account is deleted.

Naturally, employee situations can get more complex, such as when someone goes on medical leave or is transferred internally. What you do depends in part on your corporate policies, and may be affected by factors such as security clearances. Things can get more sensitive with employees who are leaving, voluntarily or otherwise.

Therefore, you want to be able to explain what you do clearly to nontechnical users. If there are other interested parties, such as the U.S. Department of Defense, you may have to demonstrate how your actions comply with their policies.

In addition, what you share from a user may be subject to privacy laws of your state, province, or country. For example, you may not be allowed to copy stored emails from one user to another. If there are conflicts, consult with your management.

10.5.1. When an Employee Leaves

When an employee leaves a company or organization for good, you'll have to take care of the following things:

  • Delete or transfer the account.

  • If the account is deleted, transfer the files to an appropriate user.

  • If the account is transferred, change the account identity to make sure the former user can't access his old account.

  • Make sure email is transferred and forwarded to an appropriate successor.

Whatever you do, you'll need to make sure that it's consistent with the policies of your company or organization.

It's best for your organization if you have advance notice of any pending layoffs or terminations. If you do, you can back up the files from the accounts of targeted users and disable access at appropriate times. Needless to say, this is a serious responsibility that assumes trust from your supervisors.

You need to know how to keep this kind of information confidential and secure. If you do not, your position may be at risk.

The steps I describe in this annoyance are just suggestions, which you may want to change depending on your corporate policies.

10.5.1.1. Transfer files and delete an account

Before you delete the account of any employee, you'll need to save that user's files. You need to make sure any files related to work are transferred to appropriate users. In other words, take the following steps:

  1. Ask your managers to inform you of any pending employee moves.

  2. Back up the files of any user who will soon leave the organization.

  3. Deactivate the account of any user when she leaves, unless other arrangements have been made.

    One secure way to deactivate an account is to modify /etc/passwd or, if you use shadow passwords, /etc/shadow. Specifically, I change the password column for departing users to an asterisk (*) and the default shell to one where logins are not allowed, such as /bin/false.

  4. Scan the files of the user for viruses and worms. If they are using Microsoft Windows workstations, you'll have to use Microsoft tools. If they are using Linux or Unix workstations, there are open source alternatives, such as Clam AntiVirus (http://www.clamav.net).

  5. Normally, management assigns the responsibilities of those who are leaving to others. Be prepared to transfer the datafiles from the home directories of the users who are leaving to those others.

    Do not just copy users' home directories to others, as that may overwrite settings associated with key applications such as the Firefox web browser. While such settings are normally stored in hidden directories (which start with a dot, such as .mozilla), defaults can be overridden. A more robust way to transfer files is to make copies to appropriate subdirectories.

  6. Document what you do. When employees leave, people need to know what was done with their work. It's best if you can show what you've done in writing.

    Make sure your documentation complies with any company policies on the subject. Be aware of any requirements from third parties, such as the U.S. Department of Defense.

  7. There are also files that the user may have left in other directories. For example, if you want a full list of files owned by user columbia, run the following command:

     find / -user columbia -print > columbiafiles.txt 

  8. If there are files that you've missed, you can transfer ownership to others with the following command. These users can then make a judgment on what files to save or delete:

     find / -user columbia -exec chown napa.napa "{}" \; 

    If you're working with a distribution where all users belong to the users group, change napa.napa to napa.users.

  9. After all of these changes are made, you're ready to delete the departing user's account. For example, you can delete user columbia's account and home directory with the following command:

     userdel -r columbia 

10.5.1.2. Transferring an account

Unless you want to dedicate a specific account to a job position, it's generally best to delete old accounts after appropriate files have been saved. I describe what you can do to transfer an account later in this annoyance.

10.5.1.3. Managing email

If an employee is leaving, you need to make sure that any business email is transferred to appropriate contacts. There are a couple of basic ways to arrange email forwarding. As they go beyond Linux, I'll describe them in general terms.


Use Email Managers

Domain-management tools may include the ability to forward emails from one address to another.


Use Email Services

If you're using sendmail or Postfix as your email service, you can configure /etc/aliases to redirect email from one user to another. The process is straightforward; when you configure the system with the Email server, just add the email address of the old employee and the forwarding address to /etc/aliases.

You may see options for domain forwarding in your email server, which forwards all emails associated with your domain to a different domain. This is generally not appropriate, unless your corporate identity is changing in some way.

10.5.2. When an Employee Leaves Temporarily

Employees may leave temporarily for many reasons. Some may leave to care for children or infirm relatives. Others may leave to go to school full-time. Still others may leave temporarily for medical reasons. If the leave is not too long, it makes sense to retain that user's account. You could disable it, and provide access to that user's home directory to others.

However, longer leaves suggest that user may be placed in a different job after his or her return. Others will have to take responsibilities for the person on leave. When the employee returns, it may make more sense to treat the person as a new employee, at least with respect to his user account.

The definition of a "temporary" leave is a matter of policy for your organization. If that policy is not already defined, you may use the guidelines described in this annoyance to help.

In this section, I assume that the leave is temporary and the user will return to his or her previous position. In that case, you should:

  • Disable that user's account

  • Provide temporary access to appropriate users

  • Forward that user's email (see the previous subsection "Managing email")

10.5.2.1. Disabling an account

When you disable an account, you're disabling logins to that account. You do not change or delete any files or directories associated with that user's account, especially her home directory. As described earlier, the most straightforward way to disable access is to modify the password column in the /etc/passwd or /etc/shadow configuration files. I described this process earlier in this annoyance.

10.5.2.2. Provide access to appropriate users

While the user is on leave, others will need access to her files. Where possible, consult with that user and her management.

Linux certainly makes it easy for administrators to copy files from one user's home directory to another. But you don't want to transfer all files, unless you want to overwrite the defaults, bookmarks, and other defaults of the user who is taking the responsibilities of the user on leave.

10.5.3. When an Employee Is Transferred

Sometimes, all you need to do is transfer an account. Perhaps a supervisor has been promoted. Perhaps a materials buyer in the company has been replaced. If you've configured special groups for that user, it may be easier to transfer the account, rather than creating a new account and adding it as a member of the special group.

With these factors in mind, transferring an account involves different challenges. You're setting up the original user's files for a new job and configuring that account for her successor. I assume the employees who are moving have accounts on different servers, run by different administrators. To make the transfer, I suggest the following steps:

  1. Back up the account owner's home directory.

  2. Before the original account owner leaves, help her identify and move any files that she will need in her new position. She'll want to keep at least her emails and quite possibly default settings associated with her account, such as those in the ~/.mozilla directory, which govern the Firefox web browser.

    Naturally, this assumes that your company policies, or those who might monitor user accounts, such as suppliers or the U.S. Department of Defense, approve your procedures.

  3. Identify any files that should stay in the current account. Naturally, you should keep at least those files associated with the current job. Depending on company and security policies, it may be acceptable to make copies for the user who is moving, as she may be helping her successor during any transition period.

  4. Talk to the administrator associated with the employee's new location. Make arrangements to transfer at least those files identified in step 2 from the account owner's home directory.

  5. Make arrangements to forward email. While filters can help, you'll have to rely at least in part on the transferred user to forward important messages back to the new owner of the account. Alternatively, you can create a filter on many email servers that forwards a copy of all messages to the new account owner.

  6. Change the password and inform the new user of the account. Make sure the new user changes her password the first time she logs on to your system.



Linux Annoyances for Geeks
Linux Annoyances for Geeks: Getting the Most Flexible System in the World Just the Way You Want It
ISBN: 0596008015
EAN: 2147483647
Year: 2004
Pages: 144
Authors: Michael Jang

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net