What to do when an employee leaves

Customer forum for LastPass Enterprise

Moderators: azitnay, admin, anatoly_LP, chantieLP, robyn, JoeSiegrist

What to do when an employee leaves

Postby jefph » Thu Jul 06, 2017 12:08 pm

Hi, I'm an underling tasked with finding out what to do when an employee leaves an organisation, also an tips on best practice..!

Apologies if this is covered elsewhere, I have done a search on the forum and help centre, but maybe I was using the wrong keywords.

We have LPE, and for the first time since acquiring it have an employee leaving next week. She has a number passwords to accounts relating to company accounts websites, so quite important for keeping the finances up to date! Whilst they have been shared with the other employees who need them, what will happen to those shared assets when her account is closed down - will the other employees lose access to them? My assumption is that they will, and if that is the case, what is the best way to migrate what are essentially 'private' passwords to the main admin account so they can then be shared in a top-down, rather than bottom-up/peer-to-peer fashion?

Also.. when accounts are shared from a centralised account, as and when passwords expire and users using the shared password update on the website, I take it that the changes are propagated back. I'm a C/C++ programmer (also 20years SQL), and as such think in terms of LPE essentially passing around references/ pointers. If this is the case, then these changes will, of course, update the single master password - but given the potential for asynchronicities, I wanted to check how this sort of thing is set up!

So pretty much, what I have been tasked to find out is:
1. What is the optimum way to use Last Pass in an enterprise scenario?
2. What is the best way to manage the contents of a leaver's account?

Many thanks!
Posts: 2
Joined: Thu Jul 06, 2017 11:48 am

Re: What to do when an employee leaves

Postby jo786 » Wed Aug 09, 2017 1:40 pm

Did you ever find information related to your question? We have the same thing happening here, and I'm looking for the same answers.
Posts: 1
Joined: Wed Aug 09, 2017 1:39 pm

Re: What to do when an employee leaves

Postby jefph » Thu Aug 10, 2017 6:38 am

Alas, no :(

At the moment we're just keeping that LP account live, but at some point, when we employ some more folk here, we'd want to transfer that license to a new employee, and don't necessarily want them to have all the details to access the banking facilities!

I had hoped that someone may have jumped in on this thread pointing to knowledgebase answers that I hadn't found myself, or chapters in a manual that I'd overlooked, but it's not happened yet. I remain hopeful :)
Posts: 2
Joined: Thu Jul 06, 2017 11:48 am

Re: What to do when an employee leaves

Postby antonK » Thu Aug 10, 2017 12:14 pm

Thanks for posting this question, it's good to know I'm not the only one with this question.

Here's the solution:
>You need to enable "Super Admin - Master Password Reset" policy in the Policies section. (https://enterprise.lastpass.com/removin ... nterprise/)
>Then add a "Super Admin User" to the policy.
>The users that are existing will have to login in order for LastPass to be enable this policy for existing users, so had to "Destroy All Sessions" for each user; forcing them to login again.
>It seems to take the server about 30 min. to enable the policy once the user login has been entered again, so be patient.
>Once completed however, go to the Enterprise Users Panel (https://lastpass.com/enterprise_users.php) and one of the dropdown options now avaiable for the user should be "Super admin master password reset."

A few other good policies to enable along with this policy are:
> Super Admin - Shared Folders
> Prevent Email: Account Change
> Prevent Email: Password Was Reset
> Restrict email addresses to specific domains
> Disable email change
> Log Full URL
(and many more: https://lastpass.com/policy_doc.php)

PS: We first change the email address password for that EmployeE, then the LastPass; don't want the EE seeing exactly when we were inside the account.

Hope this helps.
Posts: 1
Joined: Thu Aug 10, 2017 11:56 am

Re: What to do when an employee leaves

Postby JustSomeITGuy » Thu Aug 17, 2017 3:15 pm

When we have a user leave our firm, we're deactivating their account (to free up the license). Then emailing the exiting users manager and them three weeks to let us know if they need any of the sites. If they do, we use the super admin to reset the password and transfer the into they need to a 'Offboarding Shared' folder so they can grab them.

After 3 weeks deleting the user all together.
Posts: 3
Joined: Thu Aug 17, 2017 3:11 pm

Return to LastPass Enterprise

Who is online

Users browsing this forum: No registered users and 4 guests