Best Practices for Deleting Users

Posted on 2006-04-19
Last Modified: 2010-03-19
There are some people in my client's organization that have left.  What is the accepted best practice for removing these individuals?  Simply delete the user in ADUC or disable?  Will they still have a presence in email lists?
Question by:mentisgroup
    LVL 9

    Expert Comment

    You can disable the accounts and Hide their membership from distribution lists if you don't want to delete.

    I would say the best practice is to archive all of the user data, disable the account for 30-60 days, then delete.
    LVL 25

    Accepted Solution

    this is "best practice" for SOX compliance.

    create an OU in active directory for "Users - Terminated".
    When a user is termed, disable their account, and move them into the above OU (organizational unit).
    In the description you will put the day they are termed and the day they are to be deleted....usually 60 days after term date.  Remove usernames in applications that have built in security such as accounting programs.

    So the idea here is to disable, then in 60 days ...delete accounts and remove mailboxes at the same time.

    When a user is disabled, no mail can be sent or recieved to their account.  Additionally, their mailbox cannot be backed up as an individual mapi mailbox backup.  You can back up the store, but not the individual mailbox.  This means you can't restore their individual mailbox without restoring the information store first.  Not usually a problem in small networks.

    Suggestion,........Create a user termination checklist that is applicable to the size and needs of your organization, and document everything.

    LVL 2

    Expert Comment

    I don't know it's the best practice, but it's mine :

    I archive on a CD (or DVD) the profile and the personnal data of the user.
    After I look all group and I delete the account from all group (I list all group on a document that I put on the CD)
    I desactive the account
    I create rules in the mail box :
     - Reply all to advertise this email it's no longer use, and I give the new email (I advertise that the mail is forwarded)
     - Forward all mails to another user

    After 6 month, i deleted the account in the domain and the email address

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Article by: IanTh
    Hi Guys After a whole weekend getting wake on lan over the internet working, I thought I would share the experience. Your firewall has to have a port forward for port 9 udp to your local broadcast x.x.x.255 but if that doesnt work, do it to a …
    If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now