Best Practices Re: Removing users from Policies and Deleting users from Domain Control

I am auditing our database of users that has never been cleanup and I want to proceed correctly. There are numerous termed employees that need to be deactivated.

I really want to understand the difference between the functionality of Domain Control and Policies and what effect removing/ deleting users means under each. Is data lossed?

Any guidance is MOST, MOST appreciated.

Answers

  • Sheena TrepanierSheena Trepanier Posts: 1,796 Expensify Success Coach

    Hi @SWalsh_2019, this is a great question and I'm happy to clear things up!

    What's the difference?

    A policy is used to group employee who should all follow the same expense reporting rules. Typically policies are used to separate employees by department or entity if multiple policies are used. An member of a policy has the permissions needed to submit reports on that policy and removing them will block them from submitting on that policy in the future.

    Domain Control on the other hand is used to group employees who have the same domain email, for example @Expensify.com, and lock down account creation using those emails. Domain Control also grants a company administrative control over an employee's account but this is limited to account creation, deletion, and assignment of company cards.

    What happens when an employee is removed?

    When you remove an employee from a policy, they can no longer create and submit reports on that policy. As an admin, you retain access to any of their submitted reports that you already have access to, no submitted reports are removed from the policy.

    Deleting an employee from Domain Control can have two different outcomes depending on how the employee has their account set up. If they are only using their work email with no secondary logins, then deleting them from Domain Control will delete their Expensify account entirely. If they have a secondary login, then deleting them from Domain Control simply removes the company email from their account and reverts them to their secondary login.

    If you remove an employee from Domain Control, you still retain access to their submitted reports and won't lose any information there. It's important to confirm that the employee is removed from the company policy as well as Domain Control, especially in the event they have a secondary login. Removing an employee from domain control does not remove them from company policies unless their account is successfully deleted.

    Best way to handle termed employees

    There are two main ways companies handle termed employees. The first is to delete them from the policies and domain. This is typically the cleanest but is also a permanent deletion if removing them from Domain Control.

    The second option is to create a group in the domain that you call "Terminated Employees" or something similar. Termed employees are moved to this group and are effectively locked down based on the group restrictions you select.

    The choice is yours, but if you run into questions before making changes feel free to circle back to this thread and @ my user name to notify me.

Sign In or Register to comment.