Picture this scenario: Your top lender was just terminated because she had been interviewing with the financial institution across the street. The management team fears she may try to log in after being let go to get information and contacts. They notify you, the network administrator, to disable all her accounts immediately. You do so but later find out she sent emails to potential clients from her email account even after it was disabled. How?
Disabling an account or changing a password will work on any new authentication attempts to Active Directory, however it will not end active sessions with that account. So if the employee is receiving emails on his or her phone or has an Outlook Web Access session open, there is a chance they can still use their email even after the account is disabled. The open window for this gap could be minutes, hours, or days as at some point the session will expire or time out ending the active session. If this is a concern there are a few options:
Use Active Sync to Wipe the Terminated User’s Phone
One strategy is to use Active Sync to wipe the terminated user’s phone. No one likes to wipe an employee’s personal device, but hopefully that employee signed off on this action when they agreed to have their personal phone receive company email.
Disable Logon Hours in Active Directory
Another step that can be taken is to disable all logon hours in Active Directory. Each user has logon hours that are set in their account information in Active Directory. Hopefully setting logon hours is already part of your institution’s onboarding process for new employees. Rescinding logon hours for all employee terminations would be a good practice for employee offboarding. By setting logon hours to zero, all active sessions the employee has with the email server should be terminated, eliminating their ability to continue using email after termination.
For most employees, this gap will never be an issue if left unaddressed. But since many people do not realize the gap is there, a small percentage of employees will be able to take advantage of the opportunity without anyone knowing. Adding logon hours to the employee termination process is a very easy step to avoid confusion and frustration in the event an employee tries to take advantage of the system.