Victus pro Scientia Opus -- Food for the Knowledge Worker: My SharePoint Administrator Just Quit. What Now?

So, your SharePoint Administrator just accepted his or her dream job, elsewhere. Or you had to reduce headcount and let him go…or she got hit by the green bus, won the lottery, "took two beers and jumped," etc. You get the point. Your SharePoint administrator is leaving in either a sudden or an involuntary manner, and you need to ensure that:

You have continuity in your SharePoint operations, with minimal negative impact to SharePoint users.
You maintain security of your SharePoint environment, even potentially against the person who until JUST NOW had designed, built, and managed that security.

Although we won’t assume malicious intentions on someone’s part without good reason, this post is my attempt to summarize some of the basic things you should do ensure the security and continuity of your SharePoint environment after losing your Administrator.

First and foremost, disable your Administrator’s Active Directory credentials. Do it now.
If your Administrator had access to other Network Administrator accounts, disable the accounts (if you have other administrators/accounts with appropriate access) or change the passwords.
Review and consider changing your SharePoint service account passwords. Microsoft Support documentation details some additional information about changing these accounts (for SharePoint 2007). If you don’t have these passwords, there is a Codeplex solution called SPCracker for gaining and documenting access to them. If using SharePoint 2010, consider configuring automated password changes for managed accounts in Central Administration as per this TechNet article. A couple of benefits of using managed accounts in SharePoint 2010 are the ability to manage account passwords in one place and the ability to use SharePoint’s built-in capabilities (e.g., alerts) to notify users of impending password expiration.
This is a tough one: If you use forms-based authentication (e.g., for extranet accounts), review any accounts that your Administrator may have had access to the passwords to. It’s not viable to ask dozens, hundreds, or thousands of external users to change their passwords all at once, but it’s worth double-checking to ensure that these users only have read or contribute rights and that there’s not another site administrator account floating around out there.

Some other tools that can help you support your users and quickly get (and stay) on top of what’s happening in your SharePoint environment are:

ControlPoint by Axceler – an excellent set of tools for managing SharePoint permissions and auditing who can see what, as well as automating many other SharePoint administrative duties.
Password Change, Reset, and Expiration web parts from Bamboo Solutions, which allow SharePoint users to maintain their own passwords without intervention from an administrator (IT departments, especially those with lots of external users, love this!).

If you have gaps in your internal service capabilities, administrator resources, etc., you should consider ways to get them on an interim or permanent basis. More on this in a follow-up post.

Editor’s Note: Many of our best blog posts come from questions raised by our clients, including this one, the direct result of a few client inquiries within a week or so of each other. Please keep them coming, and we’ll keep thinking and writing…

Flickr photo credit "I Quit: 1" by rocketace

3 Comments

Mike -- They say that a blindfolded human will indubitably stop walking a straight line within twenty paces and ultimately start walking in circles. While there's no scientific explanation for this your survival post is a sound way to prevent blindfold creep for that unexpected day when you need to keep walking that straight line.

Posted by: Marc Solomon | November 23, 2010 at 04:42 PM