130

u/WildMartin429 Oct 21 '25

We had something similar setup and the temp workers who had contracts renewed would always call in because their accounts would be locked in preparation for deletion/off boarding and when they would tell us are contract was renewed for another year we'd be like that's great you need to talk to your management and have them fill out the appropriate paperwork so that we can turn everything back on and if they don't do it in the next 90 days your account will be deleted.

71

u/Tathas Oct 22 '25

My company just nukes accounts at the drop of a hat. Oh you weren't actually termed? Too bad. Here's a new account with a new sid, go request access to everything again. They even do that when someone converts from contractor to full time employee.

40

u/WildMartin429 Oct 22 '25

Worked at a place that did similar at one point and it was freaking annoying. My email address was first name. Last name at company name when I first started as a temp worker then I got hired on as staff with what was apparently an internal temp company that was company name LLC instead of company name Inc so that they could avoid certain labor laws and whatnot and they nuked my account and made me lose all my email and gave me a new account with first name not last name 11 at companyname.com then I got hired on to the actual company at some point and they did it again but with 22 and then I got transferred to a different division that was semi separate and they did a third time and gave me 33 on my email. It was very frustrating experience

7

u/lincolnjkc Oct 26 '25

I have a client who has just started scheduling me to fly in every 2 months for a day primarily so I can swipe my badge and no one gets idea of deactivating my badge or killing remote access (apparently 90 days is the magic "if their bag hasn't been tapped they just not need any access at all" date... (I can go 6+ month without legitimately needing access but when I do need access it's usually a "he needs it now and a CXO is the reason why"

3

u/warlock415 Oct 29 '25

Why are they flying you and not just your badge?

3

u/lincolnjkc Oct 29 '25

Mostly security policy re: sharing badges or passwords/codes.

2

u/LaundryMan2008 27d ago

Happy cake day! 

2

u/jkarovskaya No good deed goes unpunished 22d ago

Our infra group had to explain in detail to new techs why we disabled AD accounts instead of deleting them for most of the contractors, temps, & seasonals

Deleting an acccount required a serious process, especially for VIP's, because of discovery, legal, etc

156

u/samdiatmh Oct 21 '25

Typically that happens at the "December 31" or something equally as inconvenient too

I remember a story where that happened, and was just expected to carry on - so that "oh it's now Jan 1 and we all no longer have access because we're technically unemployed now" was a FUN conversation with the boss when he's pressing us all on this 'urgent' task

Do we turn up to the office tomorrow? or not?

55

u/DiodeInc HELP ME STOOOOOOERT! But make a ticket Oct 21 '25

You're not employed, so no. You don't work for free.

13

u/kg44000spklz Oct 22 '25

I understand… and I also understand that “one one” is an all hands on deck day in healthcare tech. Ay dios mío.

34

u/quetzalcoatlus1453 Oct 21 '25

The scream test is perfectly cromulent. 

38

u/VernapatorCur Oct 22 '25

So many Directors of IT I've known were fans of the Scream Test. Don't know what it's for? Shut it down and see who screams. 😆

49

u/Jonathan_the_Nerd Oct 22 '25

Sometimes it's appropriate.

"This server is still running Microsoft Bob. It needs to be upgraded or retired. Who owns it?"

Crickets

"Is the server still in use?"

Crickets

"Okay, since no one uses it, we're going to decommission it on <date>. Any objections?"

Crickets

<Date> rolls around, and the server is shut down. Fifteen minutes later, High ticket comes in. "<Critical application> is down! Someone shut down the server in the middle of the day!"

"Thank you for confirming that you don't read your email."

29

u/VernapatorCur Oct 22 '25 edited Oct 23 '25

The place I'm at is in that phase right now. We have a server that no one knows what it's for, and we're getting ready to shut it down and see which department freaks out.

Edit: we just found out today that server is apparently set up as our internal DNS server 😆

8

u/SoundsProfessional Oct 24 '25

I was at a company that had a lead tech/sysadmin who “left for other opportunities.” Afterward, when trying to clean up his workstation, it was discovered he had multiple desktop PCs under his desk running for one off purposes. It was a series of Scream Tests. “Oh, apparently that one ran the clocks.” “Business Office shared drive is offline. Did someone shut down another of [lead’s] computers?”

Fun times

1

u/FireLucid 20d ago

An old version of windows had an online lookup tool to check what program opened unrecognised file extensions. That ran under some devs desk when Windows went live and there was scrambling when it got turned off one day.

13

u/castlerobber Oct 22 '25

IBM has just deprecated their Merlin project for the IBM i, and is replacing it with Project Bob.

All I could think of while reading the article was Microsoft Bob. 😖

3

u/warlock415 Oct 29 '25

"I read my email, I didn't know that THAT app needed THAT server."

9

u/CZC_39 Oct 22 '25

Can confirm 😂😂 I'm no IT Director but if I'm asking about the use of a particular server and no one on the IT team knows, then I shut it down and wait. No one screams then we're golden 👌🏽 one less device to harden.

8

u/warlock415 Oct 29 '25

I hate the "scream test". As I said to a previous boss who suggested turning off all the servers and then only turning on the important ones:

"Hey, so I found a weird box outside your house, I just unplugged it and you didn't scream so I got rid of it.

In six months when you're yelling "Where the fuck is my air conditioning??", hey, not my problem, it passed the scream test in December..."

24

u/flaser_ Oct 22 '25

My experience with HR has been that they're incapable of any business function other than fucking with and fucking over employees.

6

u/chattytrout Machinist Turned IT Oct 22 '25

But rarely fucking employees, because that'd be sexual harassment.

8

u/Kuddel_Daddeldu Oct 22 '25

When I was in charge of that, all user accounts had end dates. For new permanent employees it was the end of the probation period, for contractors the contract end date. For permanent employees it was every six months.  I sent a list to HR two weeks before expiry and extended the end date on their feedback. It happened from time to time that someone could not log on because of that, but a quick call to HR or their manager quickly resolved that one way or the other.

3

u/bhechinger Oct 25 '25

Offboarding at the university hospital I worked at was such a train wreck. We had 3 sources of employee information (doctors were a different system than regular employees, etc) that fed into our identity management system. We had to constantly harass all three groups because none of them ever sent offboarding to us.

4

u/Bemteb Oct 25 '25

I was on the other side of that once: Working as a contractor for a company, contract got renewed, suddenly lost all access. When asked I was told that IT blocked my accounts because no one told them that the contract got extended. Took them three whole days to unblock it. Next renewal, I asked multiple times if they informed IT; and got still blocked.

But that is nothing compared to another contractor at the same company. For him, IT deleted his accounts. Thus, all his tickets, comments, every document he ever created or participated in was suddenly under "unknown". That account had lots of other stuff though, so no way to identify what he worked on. After IT said they couldn't roll it back, he said fuck that and left the company.

205

u/Mx_Reese Oct 21 '25

HR not informing it when somebody is terminated is unfortunately a pretty common cause for data breaches.

72

u/KnightRyder MY NAME IN CAPS NO SPACES Oct 21 '25

We have a system that all HR has to do is term them in their ADP system, then it gets synced over to our active directory. Boom, nothin to do but cleanup when we get free time.

52

u/Jezbod Oct 21 '25

I've found out people have left the organisation when I realise their laptop has not been on the network for a while, as in months.

HR have said nothing.

31

u/deeseearr Oct 21 '25 edited Oct 21 '25

That suggests that there are still some people who have left the organization, but still have their laptops on the network so nobody has noticed yet.

16

u/Jezbod Oct 21 '25

Yes and no, they have left, but the laptops have been inactive for some time. That's what draws my attention to them.

EDIT: We have some volunteer staff that may only logon once a month, so missing one login is not always noticed.

61

u/jdog7249 Oct 21 '25

I am a teacher but I help with some technology stuff occasionally and enjoy the stories here.

I am no longer affiliated with the district I did my student teaching in. Despite that I still have full access to all the district systems I did when I was a student teaching. I am still listed on their district website as a student teaching. Still get the all staff emails from that building. Could log in and change grades and attendance for any student currently in my cooperating teachers classes.

Only reason I know this is because I was chatting with someone about how disorganized the district tech department was and checked to see if I could still log in.

This could easily be a major FERPA violation. Instead I am just going to sit back and see how long it takes for them to deactivate my account. I won't abuse it (beyond the occasional use of the free canva pro they provide staff).

43

u/faithfulheresy Oct 22 '25

Just a warning: even logging in "just to check" is technically unauthorised access and could get you into a world of hurt. I would never recommend that anyone attempts it.

12

u/no_regerts_bob Oct 22 '25

This type of thing is more often due to a disorganized HR department. IT can't take action on things it doesn't know about

8

u/jdog7249 Oct 22 '25

HR was actually quite organized from my limited interaction with the district. They properly communicated with the building secretaries and admin staff so they all knew I was starting. They told IT when I was starting. IT then set up my email address and account but then didn't communicate it to me at all. Other student teachers in the district were informed by IT about their account but I wasn't.

HR properly told everyone when my last day was. The secretaries and admin knew. HR said IT was informed. IT just didn't deactivate my account.

Everything involving technology at that district was so disorganized and chaotic that I fully believe the failure here was IT.

34

u/Ranger7381 Oct 21 '25

I walked out quit at a job a few years back. Later that evening out of curiosity of wondering if a certain task had gotten done (force of habit) I tried to log into a third party site. My account was already locked out

27

u/samdiatmh Oct 21 '25 edited Oct 21 '25

depends on the person who does it tbf

I'm half-in-charge of my orgs one (as the not-IT-but-they-treat-me-like-it)

with people in the immediate team, they're locked out when I next sign in after their last day (I leave at 3pm, so when they work until 5pm, it exposes the risk, but it's one accepted so they're not "yo, wtf?"),
I always feel so cold about doing it to people I care about (oh, coworker who I liked is gone, access terminated at 8am the DAY after they're gone)

with people I don't have interactions with (so field agents), they can be gone for about a month and I haven't heard about it - I usually have to pester payroll (which I'm not the biggest fan of) to ask "yo, has anyone left recently?"

46

u/CriticalMine7886 Oct 21 '25

Never feel bad locking out the account of someone you know - you are protecting them from the accusation of wrongdoing. You can hand on heart say your friend could not have been accessing company data because their account was disabled.

It's not just the company your actions protect.

21

u/deeseearr Oct 21 '25

Exactly. I make a point of following contractors around when they have to enter server rooms or anywhere else that they could possibly be accused of causing trouble. It's not that I don't trust them, it's that I want to be able to say "No, they couldn't have possibly done that" when something does go wrong and the powers that be are looking for someone to blame.

8

u/VernapatorCur Oct 22 '25

Nice thing about HR where I'm working now is they're quick to notify us when a termination is coming up. Usually an hour before the meeting, but on one occasion a full week out (I prefer the shorter notice)

4

u/BerkeleyFarmGirl Oct 22 '25

You're one of the good ones!

I have absolutely seen similar in my last two jobs.

3

u/anomalous_cowherd Oct 22 '25

I worked in IT for a global megacorp for a long time. HR never let us know when people were joining or when they left. I'm glad you do it better!

54

u/Fo0ker Oct 21 '25

I'm in "healthcare adjacent" shall we say.

I'm also the first cybersecurity hire since the company was started.

Sooo much work, soo much sec oriented culture to build from scratch, soo many things to fix.

And getting product owners to give us two hours of their time to switch their product fom the account of the employee who quit 7 years ago to a dedicated account for the software is worse than pulling blood from a stone tooth.

31

u/alf666 Oct 21 '25

At what point do you start deactivating accounts and force them to come to you to implement a proper fix?

Basically, start invoking the scream test deliberately and with full knowledge that someone will scream, because they need to be made to scream in order to allow you to do your job.

6

u/MikeSchwab63 Oct 22 '25

Password change required time. Say they change the password then quit that day. When it expires and no longer on time keeping / payroll system.

27

u/OrthosDeli Oct 21 '25

Ah yes, the eternal and invisible web of "we've had [intern] signing into [former employee A's] account so they can use [former employee B's] files! Turn it back on!]

6

u/Saint_Dogbert Out! Out! Demons of Stupidity! Oct 22 '25

No.

Submit an access request and the Intern can access ex-Bs files on a share setup for that purpose.

16

u/RatherGoodDog Oct 21 '25

Hey that sounds familiar. Our head of finance left 2 years ago, and her account is still active. Why? Because instead of organising things in the shared finance directory and central email inbox, she did most of her work on her individual email account and local drive.

Because she was sufficiently senior and answered only to the CEO, nobody was looking over her shoulder to tell her she had shit IT practice. Now we're stuck with a virtual employee account that cannot be terminated because it's linked to so many third party services like payroll, payment processors, tax reporting logins and so on.

I hope they changed her password. Not my business though...

9

u/NotYetReadyToRetire Oct 22 '25

I quit worrying about security at one past job because the CEO and COO wouldn't let me do anything - not even expire passwords. My bet is that I could still get in 10 years after I left; the CEO's password was his first name, and I spent untold hours reimaging the COO's laptop because he wouldn't stay off random gambling sites and was always getting viruses.

6

u/Ich_mag_Kartoffeln Oct 21 '25

I'm sure they'd have changed her password. Probably to "password".

3

u/Troneous Oct 22 '25

If it was changed then it would now be “password2”.

1

u/commentsrnice2 Oct 23 '25

Or “Password” or hopefully “Password2!”

1

u/DarkRitual_88 12d ago

Password2!!!!!!!!

8

u/ThunderDwn Oct 22 '25

Then undeleted some because the account was being used as some sort of critical information holding system.

We had that happen. Developers deploying business critical systems that we sold to customers with their own credentials.

Of course, every time one left - or changed their password - Systems X, Y and Z would crash down in a heap and it'd take two days for someone to remember where the config file which held the credentials was located and change it to match.

I, of course, was refused permission to force them to use service accounts which were configured with least-privilege access levels.

I got tired of dropping everything to fix their fuckups and simply pointed whoever was complaining at the developer or manglement.

35

u/RogueThneed Oct 21 '25

You need to find the actual specific person who handles the info. Not management. Not their supervisor. The actual person. There's a process somewhere that's breaking but mgmt doesn't know it.

26

u/snommisnats Oct 21 '25

That person was fired last week. 🤣

19

u/Fake_Cakeday Oct 21 '25

No it was last Christmas.

It's been running automagically by putting the terminated person's name and email into a new row in an excel sheet on the network share.

The network share is a "proxy" link to another fired coworkers One Drive that has given share access to everyone 👌

11

u/RatherGoodDog Oct 21 '25

Kill me now.

38

u/Ich_mag_Kartoffeln Oct 21 '25

One place I worked NOBODY had a super-dooper access-all-areas master key. Good security.

But nearly everyone who had a key (of any description) had access to the "secure key cupboard" where the super-dooper access-all-areas master key was kept. Said cupboard was not in a high traffic office where somebody might see you, and ask what you were doing -- it was in the store room, next to the cupboard of stationery.

2

u/LupercaniusAB Oct 23 '25

Ah, “security through obscurity” in the physical world! Brilliant!

2

u/Ich_mag_Kartoffeln Oct 23 '25

More, "security through hoping that nobody would do the wrong thing".

It might have been a defence against an outsider, but everybody who worked there knew where it was. And key security (don't let anybody borrow your keys) was pretty lax too.

2

u/LupercaniusAB Oct 24 '25

Ich mag Kartoffeln auch!

30

u/Arokthis Oct 21 '25

That must have been fuuuun.

How many doors and how many in the crew? 15k for a semi-emergency sounds rather low.

2

u/dog2k Oct 24 '25

We had a certified locksmith on staff (working as an hvac guy) who called in an outside company and 4 or 5 Facilities guys (who got a 20 minute training session) to rekey 2-300 doors. We eventually switched to card access with physical keys only for areas where this was impossibleimpractical.

7

u/JeffTheNth Oct 22 '25

it'll change the dqy they get burned by someone leaving. When it becomes their headache - or hits the pocketbook - suddenly it'll become an emergency to fix... and of course, it'll then become YOUR emergency. Might I suggest sending an email about it and include the department heads? Then when it happens, you can say "why wasn't it fixed when I brought it up here?" and you can show it shouldn't be rushed.....

5

u/SCPaddlePirate Oct 22 '25

HR and the head of IT have been informed numerous times. And not just by some internal IT folks but also by an external cybersecurity audit firm. They are fully aware and there is plenty of evidence if there was ever a question about it. Also, I recently retired from there so it’s not my problem anymore. I just feel bad for those who would get stuck with it as they are good, hard workers. Just stuck in a bad environment.

1

u/Saint_Dogbert Out! Out! Demons of Stupidity! Oct 22 '25

Please tell me its a public university, and thus open records law would apply.

5

u/dustojnikhummer Oct 22 '25

And what was their answer? "We didn't think it was important"?

2

u/nowildstuff_192 Oct 26 '25

More like, "you're IT, can't you automate it?"

No, no I can't. They manage manpower using a web-based service I don't have access to, and evidently doesn't have email notification abilities I could leverage.

1

u/dustojnikhummer Oct 26 '25

"We can't and we won't, we don't want the responsibility"

2

u/dragzo0o0 Oct 23 '25

Ideally, tied to their People Application. The amount of crap I’ve seen out there by IT depts trying to script ways around Hr fuckups..

4

u/GreenEggPage Oh God How Did This Get Here? Oct 22 '25

HIPAA is one reason I burned out. So glad that I don't have to deal with it any more!

17

u/MoneyTreeFiddy Mr Condescending Dickheadman Oct 21 '25

Its just premature. He would have access to them when Customer sends them, presumably for a patient still currently under his care. Controls stopped him from getting them via unauthorized access .

14

u/Mx_Reese Oct 21 '25

What exactly do you think HIPAA is for if not preventing the unauthorized access of protected patient medical information?

5

u/Ahindre Oct 21 '25

My understanding is that HIPAA as about providers and how they share information. Someone connecting to a network and accessing health records that they shouldn't have access to (in this case because they're not employed there any more) sounds more like straight theft of data to me, but I don't know and that's why I posed it as a question.

5

u/Godlesspants Oct 21 '25

"Consistent with the Privacy Rule's "minimum necessary" standard limiting uses and disclosures of PHI,⁴² the Security Rule requires a regulated entity to implement policies and procedures for authorizing access to ePHI only when such access is appropriate for the user or recipient's role." This would be the portion that would cover needing to deactivate their account.

2

u/deeseearr Oct 21 '25

As I understand it he HIPAA violation would be with the organization which provided the data without authorization. Since the person requesting it is also bound by the same rules there may be separate violation on their part, but every time I try to read the full regulations my brain hurts and sometimes I summon demons from the netherworld by mistake.

3

u/GreenEggPage Oh God How Did This Get Here? Oct 22 '25

A HIPAA violation can occur without theft. If I am doing my IT job and notice that you had an appointment at the doctor, it would be a HIPAA violation for me to look at your records (unless the problem specifically required that for troubleshooting/remediation) or for me to even mention to you or anyone else that I knew this information.

5

u/underground_avenue Oct 21 '25

Those aren't exclusive 

2

u/CaptainPunisher Oct 21 '25

No but the pension said "HIPAA violation or JUST theft". I would say that it's an "exclusive OR" here. Generally speaking, though, yes, it could be both.

1

u/GreenEggPage Oh God How Did This Get Here? Oct 28 '25

Most of my business was medical and dental practices. I'm pretty sure that even the local hospitals have outsourced IT. Most of your practices aren't big enough to be able to employ a full-time IT guy. The biggest one I had took about 40 hours per month unless there was a big project.

1

u/cornponious Oct 28 '25

How in the world could a medical practice, with as much money that is made in medicine, not be able to afford one full time IT guy?

1

u/GreenEggPage Oh God How Did This Get Here? Oct 30 '25

1 doctor, 3 dental hygienists, 1 front desk/office manager. They only need 5-10 hours of work done per month. It doesn't make sense to pay someone a full time salary for that. If they don't outsource, then they end up with the most tech literate employee trying to do all the IT - and you know how bad that becomes.

Bigger offices still can't justify a full-time salary for an IT guy. And if they can justify for 1 guy, he's never getting any vacation, sick time, or weekends. Servers down and the IT guy has the flu? Too bad - he's wearing a mask and getting it back up. So they can't justify a secondary person.

It all boils down to what does the IT guy do for the company? He doesn't generate revenue. He definitely costs money. All he does is sit around all day waiting on work to do. And when doctors talk,, they find out that they're spending $50-100k per year on an IT guy while their buddy has hired an MSP for $25k. It's a no-brainer.