Terminate LastPass Enterprise User Accounts
There are several termination options available for LastPass administrators to use, each with varying degrees of severity. Please consider your options carefully prior to deleting or removing users. These actions can be performed manually via the Admin Console (as shown below), or can be automated using directory integration options.
Whether a user account is deleted, disabled, or removed from the LastPass Enterprise account, this will not impact any remaining users or their previously associated shared folders. However, if the departed user was the admin of a shared folder, that folder will be left without an admin. For this reason, it is recommended that you enable the Super Admin – Shared Folders policy.
As a best practice and an added precaution, we suggest that any shared credentials be changed upon the departure of an employee, regardless of how you choose to manage their exit from LastPass. These changes to any shared folder will automatically sync to all assigned users, and this will give you an added layer of security.
Topics in this article:
Disabling a user in your LastPass Enterprise account puts a lock on the account. No one – not even your LastPass administrator – can log in to the account regardless of passwords or previous access. Once disabled, the seat will be available for reassignment.
Removing a user from your LastPass Enterprise account will disassociate that user’s account from your company account. With this action, all shared folder data will be revoked immediately. LastPass will also prompt you if you would like to use the “Delete Shares” or “Do Not Delete Shares” options. Selecting Delete Shares will delete all Sites within the account that have been shared to the user from other users in the Enterprise outside of shared folders. The account will otherwise still be fully available for use by this user, including all data that has been stored in the user’s Vault. Once removed, the seat will be available for reassignment.
Deleting an account FULLY DELETES ALL INFORMATION within the user's LastPass account. Any data stored within the account will be deleted, an action which cannot be undone. For this reason, it is strongly recommended that a user exports their LastPass account data prior to being deleted so that their LastPass Vault data can be restored later if desired. Once deleted, the seat will be available for reassignment.
This option is only available if the Super Admin – Password Reset policy is in place. From the Admin Console, the Admin of the Enterprise can reset the Master Password on the account. This option can be leveraged under the following scenarios:
- You would like to lock-out the owner of the account, but still allow Admin access. This can be helpful for audit purposes; in order to update and/or terminate any credentials to which the end user had access.
- If you would like to assign the entire account – with all of its contents – to another employee.
- Ensuring that Sites/tools are no longer accessible by the employee: If the account owner created any passwords in their Vault, or if any credentials were shared visibly with them, then it is quite possible that they have stored this information elsewhere and could access these tools again in the future (outside of LastPass). In order to avoid any doubt, we strongly recommend updating all passwords when an employee account is terminated.
- Once an employee is terminated (disabled, deleted or removed), any data that the account owner has placed in a Shared Folder will remain fully intact for remaining users.
- In the case of Shared Folders, while you are never at risk of deleting the shared credentials, you are at risk of finding yourself with no remaining Admin on the folder (if the former account owner was the sole folder Admin). If this is a concern, you should consider enabling the "Super Admin – Shared Folders" policy.
- Please note that NONE of these actions will affect a Linked Personal Account, which is why we highly recommend that users store personal data within their Linked Personal Account rather than storing this type of data in an Enterprise account.