project database

As the old saying goes, denial isn’t just a river in Egypt.  It is also a useful tool to deny access and rights for employees on probation.

C--Users-Killeee-Desktop-the nileThink about the first thing an employee who is put on steps of discipline will want to do.  Steal data.  Download all of their files and contact information.  Cause havoc.  Create mayhem.  Not clean up in the kitchen despite that sign that informs them that their Mom does not indeed work there.

You cannot do anything about the kitchen, but you can start denying access to files and folders.  And just as importantly, restrict access to removable devices or media.  And you can do it the hard way or the easy way.  I recommend the easy way: dynamic Active Directory security groups.

Simply set up a synchronization job between your HR database and Active Directory that reads the “on probation” field in HR and changes the attribute employeeType to something that denotes they are on probation.

Create a dynamic security group (using GroupID if you don’t mind) that simply queries that attribute and places the “at risk” employee in the security group.  Feel free to mail enable the group so you can email them and tell them what’s going on.  For privacy reasons, hide the group and membership as well.

Once you have the dynamic security group set up, simply deny permission to members of that group to access file shares, systems, and critical resources.  Use Group Policy to restrict their ability to use removable storage and media like USB sticks.

The beauty of making the group dynamic is that once a user is no longer on the probation list, they no longer meet the query conditions and are removed from the group.  Instantly putting their permissions back to normal.