HELP FILE

Terminate LastPass Enterprise User Accounts

There are several termination options available for LastPass administrators to use, each with varying degrees of severity. Please consider your options carefully prior to deleting or removing users. These actions can be performed manually via the Admin Console (as shown below), or can be automated using directory integration options.

If you are using Active Directory Federation Services (AD FS) for LastPass Enterprise, please be aware of the following:

  • If you intend to convert an existing non-federated user (who was created using the same instance of the LastPass AD Connector) to a federated user, please see How do I convert an existing LastPass user to a federated (AD FS) user?
  • If you want to convert an existing non-federated user that was created manually or by another method, the user's account must be deleted (not disabled or removed) before they can be created as a new federated user. To ensure that the user's LastPass account data can be fully restored without data loss during this process, it is required that the user exports their LastPass Vault data before their account is deleted.

Whether a user account is deleted, disabled, or removed from the LastPass Enterprise account, this will not impact any remaining users or their previously associated shared folders. However, if the departed user was the admin of a shared folder, that folder will be left without an admin. For this reason, it is recommended that you enable the Super Admin – Shared Folders policy for at least one admin.

As a best practice and an added precaution, we suggest that any shared credentials be changed upon the departure of an employee, regardless of how you choose to manage their exit from LastPass. These changes to any shared folder will automatically sync to all assigned users, and this will give you an added layer of security.

Note: All LastPass Enterprise seats are transferable once an account is disabled, removed, or deleted.

Manually terminate a user

  1. Log in and access the Admin Console at https://lastpass.com/company/#!/dashboard.
  2. Click Users in the left menu.
  3. Click to select your desired user.
  4. Click the More icon Elipsis at the top of the users table.
  5. Choose from the following options, each outlined in detail below:

Disable a user

Disabling a user in your LastPass Enterprise account puts a lock on the account. No one – not even your LastPass administrator – can log in to the account regardless of passwords or previous access. Once disabled, the seat will be available for reassignment.

Remove a user from the company

Removing a user from your LastPass Enterprise account will disassociate that user’s account from your company account. With this action, you are prompted to select one of the following options:

  • Forbid access to shared sites and folders – Selecting this option will delete all items within the account that have been shared with the user from other users in the Enterprise (from within shared folders and single shared items).
  • Allow access to shared sites and folders – Selecting this option will allow all items that were shared with the user from other users in the Enterprise to remain available to the user (from within shared folders and single shared items).

Once you click Remove User, the seat is available for reassignment, and the removed user's account will be downgraded to a LastPass Free account. However, if the removed user previously purchased LastPass Premium before joining the Enterprise, they will be downgraded to LastPass Premium to continue using any remaining time left (if applicable).

Delete a user

If you are using Active Directory Federation Services (AD FS) for LastPass Enterprise, please be aware of the following:

  • If you intend to convert an existing non-federated user (who was created using the same instance of the LastPass AD Connector) to a federated user, please see How do I convert an existing LastPass user to a federated (AD FS) user?
  • If you want to convert an existing non-federated user that was created manually or by another method, the user's account must be deleted (not disabled or removed) before they can be created as a new federated user. To ensure that the user's LastPass account data can be fully restored without data loss during this process, it is required that the user exports their LastPass Vault data before their account is deleted.

Deleting an account fully deletes all information within the user's LastPass account. Any data stored within the account will be deleted, an action which cannot be undone. For this reason, it is strongly recommended that a user exports their LastPass account data prior to being deleted so that their LastPass Vault data can be restored later if desired. Once deleted, the seat will be available for reassignment.

Reset a user's Master Password

This option is only available if the Super Admin – Password Reset policy is in place. From the Admin Console, the Admin of the Enterprise can reset the Master Password on the account. This option can be leveraged under the following scenarios:

  • You would like to lock-out the owner of the account, but still allow Admin access. This can be helpful for audit purposes; in order to update and/or terminate any credentials to which the end user had access.
  • If you would like to assign the entire account – with all of its contents – to another employee.

Important considerations

  • Ensuring that Sites/tools are no longer accessible by the employee: If the account owner created any passwords in their Vault, or if any credentials were shared visibly with them, then it is quite possible that they have stored this information elsewhere and could access these tools again in the future (outside of LastPass). In order to avoid any doubt, we strongly recommend updating all passwords when an employee account is terminated.
  • Once an employee is terminated (disabled, deleted or removed), any data that the account owner has placed in a Shared Folder will remain fully intact for remaining users.
  • In the case of Shared Folders, while you are never at risk of deleting the shared credentials, you are at risk of finding yourself with no remaining Admin on the folder (if the former account owner was the sole folder Admin). If this is a concern, you should consider enabling the "Super Admin – Shared Folders" policy.
  • Please note that NONE of these actions will affect a Linked Personal Account, which is why we highly recommend that users store personal data within their Linked Personal Account rather than storing this type of data in an Enterprise account.