[ars]

> should have disabled all access from this ex-admin

You can't. Not from an admin.

Same as how if you are rooted the only advice is to reinstall. It's simply impossible to reliably undo everything from inside the machine.

If you are a company, reimage the machine, then reinstall everything, and copy the code fresh from known good source control (and hope someone was watching source control that the admin did not check something in).

[_ph_]

Of course you can. The moment his account is deactivated, he should not be able to access any machine in the system. Unless of course, he installed proactively backdoors, which is a criminal offense, at least here in Germany. And with a proper setup, he should not get random remote access.