Onboarding21 April 2026·By Harish Mehra

The 10-Item IT Admin Checklist for New Hires

A practical 10-item IT onboarding checklist for Indian MSMEs — five items before day 1, five items on day 1 — with a companion offboarding flow. Designed to make an admin's first 90 minutes of an employee's week turnkey.

Every Indian MSME I've worked with has had some version of the same Monday problem: a new hire arrives at 9:30, excited to start, and for the next four hours they sit at a desk while IT figures out that nobody provisioned their email, the laptop they were supposed to get is with someone in Bangalore, and their AD account got created with a typo. The new hire's first day becomes a memory of waiting — which is a bad first impression for your company and a recurring tax on your IT admin's week.

The cost of a disorganised onboarding isn't the 2 hours lost — it's the signal it sends. It tells the new hire the company isn't organised. It tells the team their IT function runs reactively. It makes the next offboarding (which is the same list in reverse) equally messy, and that's where real security risk lives.

This article is the checklist. Five things before day 1, five things on day 1, and the offboarding mirror. It's meant to be printed, pinned to the IT admin's wall, and followed without thinking.

Before Day 1 — the IT admin's week before

These five should be done by end-of-business the Thursday before the employee starts. HR should have the hire details finalised by then (start date, role, team, reporting manager).

1. Provision the laptop

Procurement should be done already — if it isn't, you're in recovery mode and everything after is a scramble. Assuming the laptop is in IT's physical possession:

Image the machine with the company base OS build
Install the MDM / management agent (so you can manage it remotely if stolen or lost)
Install the standard software baseline: browser, Office / Google Workspace client, Slack / Teams, password manager client, VPN client, any role-specific tools
Configure the management agent's check-in with the device registry
Apply the whole-disk encryption baseline (FileVault on macOS, BitLocker on Windows, LUKS on Linux)
Physical prep: clean the laptop, wipe the screen, install a fresh screen-protector if part of the standard kit

Rough time: 30–45 minutes per laptop if the image is current; 2+ hours if you're building from scratch. Maintain an up-to-date golden image to keep this fast.

2. Register the asset

Add the laptop to the asset register. At minimum:

Unique asset tag (consistent format — we use HVS-LAP-NNN)
Make, model, serial number
Purchase date and GST invoice reference
Assigned-to (the new hire), assignment date
Warranty expiry (so the 90-day alert window triggers automatically)

AMS handles this with auto-tagging and bulk import if you're onboarding multiple people in a week. Sticking the physical tag to the laptop is part of this step — it's what makes the return-on-exit process reliable.

3. Create the directory account

In AD / your identity provider, create the user account with:

Username convention (firstname.lastname or firstname.l, consistent across the company)
First name, last name, display name
Title, department, reporting manager
Email address (same domain as the directory — e.g., priya.sharma@yourcompany.com)
Temporary password with force-change-on-first-login flag
Group memberships for the role (Sales, Engineering, HR, etc.)

Warden is the Hives.cloud take on this for Indian MSMEs — AD-compatible, web-dashboard user management, bundled VPN. But the step applies regardless of provider.

4. Provision email + shared-vault access

Create the mailbox in your email provider (Nectr, Google Workspace, M365, Zoho — whichever)
Set up email signature template (company-standard with their role and disclaimer)
Configure auto-reply if they're joining during a transition
Create their account in the password vault (Unit or equivalent) and add them to the correct team-shared vaults
Do NOT paste any shared credentials into email or chat — use the vault's invitation flow

5. Pre-stage the welcome docs

A single page / doc that the new hire sees on day 1 covering:

The IT setup (username, temporary password, how to log in first time)
The IT asset policy (the one from our asset policy template) for their signature
The password reset / self-service URL
The VPN client download link
The helpdesk channel (email, Slack channel, or ticketing URL)
Contact for IT admin (name, email, Slack handle)

Send this to their personal email by end-of-business Friday, with a note saying "open this when you sit down Monday."

Day 1 — the first 90 minutes

These five happen in the first 90 minutes after the new hire sits down. Done well, the admin's involvement is 20–30 minutes of that time.

6. Hand over the laptop and first login

Physically hand the laptop over (confirm it's the one matching the asset register assignment)
Walk them through the first login: network setup, master account sign-in, disk encryption recovery key storage
Have them change the temporary directory password to something strong (the password vault can generate one)
Verify the machine is enrolled in MDM correctly (the admin should see the check-in)

7. Enrol face attendance (if applicable)

If the company uses Vision or similar:

Enrol the employee's face with the DPDP-compliant consent moment (see the DPDP face attendance compliance article for what that moment needs to include)
Verify the first check-in works
Explain the alternative (RFID card, mobile app) if they prefer not to use face recognition — this choice is a DPDP Act obligation

8. Vault access handoff

Confirm the password-vault client is installed and logged in
Walk them through accessing their personal vault and the team-shared vaults
Show them how to save a new credential (everyone forgets; make them do one live)
Confirm browser extension auto-fill works on a test site

9. Policy acknowledgement

Hand them the printed IT asset policy + an acknowledgement form
Walk through the key clauses (return on exit, personal use, incident reporting)
Get signatures on the asset receipt (the laptop's tag + accessories)
File the signed copy in the HR system and a digital copy in AMS

This 10-minute step is the one that saves the most grief later. A signed, dated policy acknowledgement is what makes asset-return-on-exit enforceable.

10. Meet the team + who-to-ask map

Introduce them to the team's IT contact (you, or your delegate)
Give them the helpdesk ticket URL / Slack channel explicitly
5-minute overview of the internal tools: where the wiki is, where the people directory is, how to find a VPN tutorial if they get disconnected

Optional but recommended: a 15-minute "first-week walkthrough" meeting scheduled for day 2 or 3, where you can check that everything's working after they've used the tools for real work.

The offboarding mirror

The exact same 10 items, in reverse, with three additions:

Pre-exit (the week before last day):

Confirm last day with HR
Schedule asset return for the last day
Note any temporal-access credentials that need extension (finalising handovers)

Exit day:

Revoke directory access (disable, don't delete — disable preserves audit trail)
Revoke vault access (including temporal-access credentials now expired)
Collect the laptop (tag-checked against asset register)
Confirm asset condition, sign hand-back acknowledgement
Remove from face attendance enrolment (DPDP-aligned deletion)
Remove from email distribution lists, share alias re-routed to manager

Post-exit:

Wipe the laptop (standard reformat + reinstall of company image)
Re-assign the asset record as "available, unassigned" in AMS
Final settlement released via HR once IT confirms asset return (this is the clause that makes the whole flow reliable — see the IT asset policy article)
30-day review: verify no orphaned credentials or access tokens remain

The offboarding list matters for security more than onboarding. An ex-employee with live AWS credentials is a breach waiting to happen. This checklist is what prevents that.

Making it repeatable

The entire checklist is 20 items (10 onboarding + 10 offboarding). Small enough to live as a Notion template, a Google Doc, or — if your team has reached 5+ hires/month — a ticketing-system workflow that auto-creates the tasks when HR flags a new hire.

We ship a version of this as the default IT onboarding workflow bundled with Warden (user provisioning), Nectr (mailbox), Vision (attendance), AMS (asset), and Unit (credentials) — five products, one checklist, zero manual steps between them. The 6-product stack thesis explains why the checklist matters as much as the individual products: the real cost reduction of a unified stack is that provisioning and deprovisioning become one workflow rather than five disconnected ones.

The meta-point

Onboarding is the visible slice of IT admin work — it's the thing everyone in the company will see. If it's smooth, IT looks invested and organised. If it's clumsy, everything IT does after feels amateur by association. Invest 4 hours in getting this checklist right for your company, and the next 50 hires are materially better.

The 51st hire is also the first offboarding, eventually. Which is why the same checklist in reverse is the hidden security payoff — and why having one written IT admin process, not a collection of tribal knowledge, is the actual goal.

For the broader picture of how these products connect — and why a unified stack makes this checklist one workflow rather than five — see the 6-product stack thesis. For the policy side that backs this checklist, the IT asset policy template is the document layer this IT flow enforces.

About Hives.cloud

Hives.cloud is an Indian enterprise-software company founded on 12 March 2025 by Vaibhav Sharma (Founder & CEO) and Harish Mehra (Co-Founder & COO). It builds Warden, Nectr, Vision, AMS, and Unit — paid cloud-native IT products giving Indian MSMEs a Microsoft-grade stack at rupee-first, GST-aware pricing. Plus Fixr, a free direct-to-consumer IT repair platform open to both individuals and organisations. The company also runs 0xAPI5, a cybersecurity learning community. Registered office: Delhi. Operating office: Gurugram, Haryana. GSTIN: 07AAPCP5499L1ZE.

Learn more at hives.cloud/about or contact the team at hives.cloud/contact.

Last updated: 21 April 2026

← All articles

Onboarding21 April 2026·By Harish Mehra

The 10-Item IT Admin Checklist for New Hires

This article is the checklist. Five things before day 1, five things on day 1, and the offboarding mirror. It's meant to be printed, pinned to the IT admin's wall, and followed without thinking.

Before Day 1 — the IT admin's week before

These five should be done by end-of-business the Thursday before the employee starts. HR should have the hire details finalised by then (start date, role, team, reporting manager).

1. Provision the laptop

Procurement should be done already — if it isn't, you're in recovery mode and everything after is a scramble. Assuming the laptop is in IT's physical possession:

Image the machine with the company base OS build
Install the MDM / management agent (so you can manage it remotely if stolen or lost)
Install the standard software baseline: browser, Office / Google Workspace client, Slack / Teams, password manager client, VPN client, any role-specific tools
Configure the management agent's check-in with the device registry
Apply the whole-disk encryption baseline (FileVault on macOS, BitLocker on Windows, LUKS on Linux)
Physical prep: clean the laptop, wipe the screen, install a fresh screen-protector if part of the standard kit

Rough time: 30–45 minutes per laptop if the image is current; 2+ hours if you're building from scratch. Maintain an up-to-date golden image to keep this fast.

2. Register the asset

Add the laptop to the asset register. At minimum:

Unique asset tag (consistent format — we use HVS-LAP-NNN)
Make, model, serial number
Purchase date and GST invoice reference
Assigned-to (the new hire), assignment date
Warranty expiry (so the 90-day alert window triggers automatically)

3. Create the directory account

In AD / your identity provider, create the user account with:

Username convention (firstname.lastname or firstname.l, consistent across the company)
First name, last name, display name
Title, department, reporting manager
Email address (same domain as the directory — e.g., priya.sharma@yourcompany.com)
Temporary password with force-change-on-first-login flag
Group memberships for the role (Sales, Engineering, HR, etc.)

Warden is the Hives.cloud take on this for Indian MSMEs — AD-compatible, web-dashboard user management, bundled VPN. But the step applies regardless of provider.

4. Provision email + shared-vault access

Create the mailbox in your email provider (Nectr, Google Workspace, M365, Zoho — whichever)
Set up email signature template (company-standard with their role and disclaimer)
Configure auto-reply if they're joining during a transition
Create their account in the password vault (Unit or equivalent) and add them to the correct team-shared vaults
Do NOT paste any shared credentials into email or chat — use the vault's invitation flow

5. Pre-stage the welcome docs

A single page / doc that the new hire sees on day 1 covering:

The IT setup (username, temporary password, how to log in first time)
The IT asset policy (the one from our asset policy template) for their signature
The password reset / self-service URL
The VPN client download link
The helpdesk channel (email, Slack channel, or ticketing URL)
Contact for IT admin (name, email, Slack handle)

Send this to their personal email by end-of-business Friday, with a note saying "open this when you sit down Monday."

Day 1 — the first 90 minutes

These five happen in the first 90 minutes after the new hire sits down. Done well, the admin's involvement is 20–30 minutes of that time.

6. Hand over the laptop and first login

Physically hand the laptop over (confirm it's the one matching the asset register assignment)
Walk them through the first login: network setup, master account sign-in, disk encryption recovery key storage
Have them change the temporary directory password to something strong (the password vault can generate one)
Verify the machine is enrolled in MDM correctly (the admin should see the check-in)

7. Enrol face attendance (if applicable)

If the company uses Vision or similar:

Enrol the employee's face with the DPDP-compliant consent moment (see the DPDP face attendance compliance article for what that moment needs to include)
Verify the first check-in works
Explain the alternative (RFID card, mobile app) if they prefer not to use face recognition — this choice is a DPDP Act obligation

8. Vault access handoff

Confirm the password-vault client is installed and logged in
Walk them through accessing their personal vault and the team-shared vaults
Show them how to save a new credential (everyone forgets; make them do one live)
Confirm browser extension auto-fill works on a test site

9. Policy acknowledgement

Hand them the printed IT asset policy + an acknowledgement form
Walk through the key clauses (return on exit, personal use, incident reporting)
Get signatures on the asset receipt (the laptop's tag + accessories)
File the signed copy in the HR system and a digital copy in AMS

This 10-minute step is the one that saves the most grief later. A signed, dated policy acknowledgement is what makes asset-return-on-exit enforceable.

10. Meet the team + who-to-ask map

Introduce them to the team's IT contact (you, or your delegate)
Give them the helpdesk ticket URL / Slack channel explicitly
5-minute overview of the internal tools: where the wiki is, where the people directory is, how to find a VPN tutorial if they get disconnected

Optional but recommended: a 15-minute "first-week walkthrough" meeting scheduled for day 2 or 3, where you can check that everything's working after they've used the tools for real work.

The offboarding mirror

The exact same 10 items, in reverse, with three additions:

Pre-exit (the week before last day):

Confirm last day with HR
Schedule asset return for the last day
Note any temporal-access credentials that need extension (finalising handovers)

Exit day:

Revoke directory access (disable, don't delete — disable preserves audit trail)
Revoke vault access (including temporal-access credentials now expired)
Collect the laptop (tag-checked against asset register)
Confirm asset condition, sign hand-back acknowledgement
Remove from face attendance enrolment (DPDP-aligned deletion)
Remove from email distribution lists, share alias re-routed to manager

Post-exit:

Wipe the laptop (standard reformat + reinstall of company image)
Re-assign the asset record as "available, unassigned" in AMS
Final settlement released via HR once IT confirms asset return (this is the clause that makes the whole flow reliable — see the IT asset policy article)
30-day review: verify no orphaned credentials or access tokens remain

The offboarding list matters for security more than onboarding. An ex-employee with live AWS credentials is a breach waiting to happen. This checklist is what prevents that.

Making it repeatable

The meta-point

About Hives.cloud

Learn more at hives.cloud/about or contact the team at hives.cloud/contact.

Last updated: 21 April 2026

Before Day 1 — the IT admin's week before

1. Provision the laptop

2. Register the asset

3. Create the directory account

4. Provision email + shared-vault access

5. Pre-stage the welcome docs

Day 1 — the first 90 minutes

6. Hand over the laptop and first login

7. Enrol face attendance (if applicable)

8. Vault access handoff

9. Policy acknowledgement

10. Meet the team + who-to-ask map

The offboarding mirror

Making it repeatable

The meta-point

Face Attendance Compliance Under the DPDP Act 2023: What Indian MSMEs Must Know

Building an IT Asset Policy: A Template for Indian Companies

Face Recognition Attendance: What Indian MSMEs Actually Pay in 2026

Before Day 1 — the IT admin's week before

1. Provision the laptop

2. Register the asset

3. Create the directory account

4. Provision email + shared-vault access

5. Pre-stage the welcome docs

Day 1 — the first 90 minutes

6. Hand over the laptop and first login

7. Enrol face attendance (if applicable)

8. Vault access handoff

9. Policy acknowledgement

10. Meet the team + who-to-ask map

The offboarding mirror

Making it repeatable

The meta-point

Face Attendance Compliance Under the DPDP Act 2023: What Indian MSMEs Must Know

Building an IT Asset Policy: A Template for Indian Companies

Face Recognition Attendance: What Indian MSMEs Actually Pay in 2026