Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Active Directory Best Practices

Posted on 2013-12-26
Medium Priority
Last Modified: 2014-01-14
Is there a url or guide of best practices for Active Directory?  Currently, when a user resigns from our company, we rebuild their computer immediately and provide to another user.  

From a best practice perspective, should we delete the computername from AD and then rebuild and join to the Domain?  Are there other best practices for AD that we should be following for on-boarding and off-boarding users?  What are your thoughts?
Question by:rmessing171
  • 3
  • 2
  • 2
  • +4
LVL 18

Expert Comment

ID: 39740309
LVL 36

Expert Comment

by:Seth Simmons
ID: 39740333
there really isn't a best practice for that specifically; could be more of a business requirement than technical in terms of the specific accounts.  at my last place we used to disable a user account and move to a separate OU (there were a few occasions when the person later came back).  but for a computer account i made sure it was removed from the domain before rebuilding it else you will have to do some cleanup later - more of a time saver than anything else

the last 2 links above are additional useful information regarding other aspects of AD you might find useful in your environment.  the first link (technet) has broken links or obsolete information around windows 2003
LVL 39

Expert Comment

ID: 39740359
Does your computer names also need to be changed as user resigns as per your company security policy ?
If that's not the case, you can disable that computer account and after certain period of time you can remove those computer accounts.
The idea behind is to just reuse same existing computer names if user in out is frequent and to avoid creation of frequent new computer accounts

if replacement user is available immediately in place of resigned employee, you can just backup all user data and wipe out user profile, the computer will become new for new users
Also if as per your company policy if computer must need to be formatted for new joinee, then still you can keep same name as previous, just reset computer account in AD and then just join formatted computer to domain, it will work without any issues

In case of user accounts, in some bigger companies, they never delete user accounts, just disable them as resigned employees may re-join at any time in future and they don't want to create new accounts for them every time which might integrated with SAP. ERP and so forth.
In normal scenarios, you can disable user accounts and after certain period you can delete them.

below guide is for securing active directory best practises


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

LVL 70

Expert Comment

ID: 39740390
Why do you need to re-build the computer - this is not necessary,

Author Comment

ID: 39740411
Thank you Mahesh and seth2740 for your immediate responses!

seth2740 - You referenced that I will have to do some cleanup later if I didn't remove the computer from AD.  Is the cleanup deleting the old computer from AD or would there be more tasks to perform?

Expert Comment

by:Brad Held
ID: 39740653
If the computer name does not change and you are going to rebuild it then, reset the computer account in ad which will break the secure channel with the domain - move that computer account to the correct OU for the next user, wipe and reload the PC, rejoin the domain. As stated previously this is more of a business requirement then a technical requirement, if your users are just users and not computer admins, then signing in as another user would be enough without the rebuild of the PC. But without knowing the environment or business needs this would be hard to quantify in the forum.
LVL 26

Expert Comment

by:Leon Fester
ID: 39741432
What you are discussing is not an Active Directory best practise but a security best practise.

In terms of deleting the computer account...you can simply reset the computer account instead of deleting it if you are going to rebuild the computer.

Regarding the user account, AD best practice recommends that you disable the user account for a period of time, typically 1 - 3 months.
This is just in case you need to recover a mailbox or data or copy permissions that may have been overlooked.

After the 'disabled period' you can then safely delete the user account.
Typically your HR department would inform you timeously when they've received a user termination request so you can set the account to expire at that date to prevent accounts from being active after the user has left...just in case somebody wants to do malicious actions on the old username.

My favourite place to find best practise advise is the Friday Mailsack blog for the Active Directory team.

Also check some of the best practice recommendations from the following site:

Author Comment

ID: 39741998
Thank you for all of the info everyone posted.  It has helped me significantly.  We rebuild our PCs to refresh the Windows 7 Operating system, install applications (each department gets certain apps) and the PC gets a computername based on the user's name.  The reason I am asking about removing the PC from AD and SCCM is because I am trying to use  SCCM 2007 SP2 R3 to keep better Computer and Software inventory control.  SCCM is using the AD Discovery method and since we have not deleted any computers from AD or SCCM when user resigns, I have a lot of old computers and software being reported on.  What is the proper/recommended method to clean up the old computers in AD and SCCM?  Any thoughts?

Expert Comment

by:Brad Held
ID: 39742217
So the real question is how to AD cleaned up, and maintain going forward - Check for pc's that have not changed its password in say 60+ days, computers by default will change the password every 30 days when connected to the network.


Once the existing environment is cleaned then as users come and go - it should be part of the off-boarding process to disable the user account and move to a special OU, this should also happen for the computer account. A note could be added on the description attribute of when the computer was disabled, to make cleanup easier. Every now and then I would go cleanup that OU and remove old computer accounts.

Author Comment

ID: 39742248
Bradheld - Thank you for the immediate response and the info!

Quick Question - When off-boarding an employee, should the computername (resource) be deleted from the SCCM - All Systems collection, or will it automatically get removed from SCCM when I disable the computer account in AD?  What are your thoughts?
LVL 39

Accepted Solution

Mahesh earned 1500 total points
ID: 39742734
In SCCM You can enable a predefined task under Site settings -> Site Maintenance. There is a task called "Delete obsolete client data"
This might helps, otherwise there is no automated way to remove disabled computers from SCCM
You can use below script if you have 2008 R2 Domain Controllers

There is lot of difference between AD best practises and AD clean-up
Unless you tell us exact requirement \ problem at 1st place, Experts cannot provide you correct solution and all solutions provided are directionless and meaning less then


Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question