What do you guys do with Windows AD old user accounts?

this is a dumb question. we are running Active Directory of course. there are many old accounts (windows and Exchange) from employees who have left long time ago.

do you guys just delete them or just disable them? I have many complaints on seeing these users in GAL or groups.

what do you guys do?
LVL 8
PaperTigerAsked:
Who is Participating?
 
Andres PeralesConnect With a Mentor Commented:
We disable account for 90 days, reset the password to an administrative password for those accounts, hide account from the GAL so that they do not show up and annoy people.

After 90 days we delete the account, the mail box will stay in exhange another 15 days then automatically purges.
0
 
MidnightOneConnect With a Mentor Commented:
I disable the user account, reset the password and hide the user from the address book. After 90 days, the account can be deleted permanently.
0
 
tigermattConnect With a Mentor Commented:
We usually keep them for between 90 and 180 days. During this time, another user will be delegated the respnsibility of checking the Exchange mailbox of this account to deal with any incoming mail. Of course, during this time, anyone important who is going to make contact will already have done so, and received the new contact information. This also allows the user to retrieve important mail from the user's mailbox and their Documents folder.

After this time, we completely delete the account, files and mailbox from the system, although if it was a very important user, their information is usually archived (PST file for Exchange mailbox) before they are deleted, just in case there was important financial information or something else present in there!

-tigermatt
0
Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

 
thor_08Connect With a Mentor Commented:
Hello Paper Tiger, it's best to disable the account immediately and reset the password to a password Standard, hide the user to the GAL. That way we avoid the user access to resources and mantém the user's mailbox when someone needed E-mails from that account.
After a few weeks, you can eliminate.
If there is enough movement of the user accounts of active driectory, you can use a script to automatically removes
Greetings
0
 
PaperTigerAuthor Commented:
so, deleting is perfectly fine?
0
 
Andres PeralesCommented:
There is nothing wrong with deleting...we just keep for administrative purposes is all...if you know the user is gone, then you should delete the account, if no one needs access to their mail, that can go away too...
0
 
tigermattCommented:
>>> "so, deleting is perfectly fine?"

Yes - you can safely delete them. They shouldn't have any custom services or applications running on them, so in theory nothing is relying upon them and they can therefore be removed.

It's just good to keep the mail and files present for a while and get someone in the old user's department to check over these - just in case that one important file is hidden away somewhere!
0
All Courses

From novice to tech pro — start learning today.