what the best way to disable AD users


in our company we have different type of employment

1- users come to work for just 6 month then leave the company like students
2- users  work for some time like 2 years then leave
3- and the normal users

one of the problem is that some users leave us for one year then come back to work with us the same in student case
and we are as an IT department we don't know if this user will come backup to work even after one year

but all the time i have discussion with my  colleagues how we can disable these users and how long we can keep them in our AD as disabled accounts

what the best way to save there emails
they create file and directories so what about the ownership and other stuff

so i need good advice what the best way to Handel such case  

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
90 days is a reasonable limit.. so what if they come back they should start fresh
Andrew DavisManagerCommented:
Agreed with David. one of our clients is a law firm, and we have a similar situation in that they have article clerks (basically law students who work in a practice for 12 months). In that case we have a couple of accounts (clerk1 and clerk2) they have certain restrictions and the account follows the position. When one leaves, we change and disable their account, when they are replaced (not always straight away) the account is re-activated and the password re-set.

Ed DreddCommented:
90 days policy for not log-in an account is too long. I suggest that any non-active account will be disabled after 30 days. and will be deleted after 90days.
But , if no constraint of storage or emails allocation, why bother. May i know your constraint?
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Andrew DavisManagerCommented:
@ed_dred I believe that what David meant was that the account should be disabled immediate on employee leaving, and then if not returned within 90 days the account deleted. I would never leave a non active account sitting active for 30 days. We disable it asap.

Ed DreddCommented:
in some big institution, they will preserve your account until u tell them to close your account.

in this case; IF there is a need to create a policy then created one. you knows better how your organization works.. :). there is no best practice in some place will also best practice in other place.
for me.. leaving that account for another 30days after normal cause ie:retiring is also best practice because someone has good network with vendors/buss partners and we should remain the account for the sake of company. BUT if there is a threat of information's leaking, then it should terminated immediately.

Again... you know better your need. Cheers
sword12Author Commented:
thanks all

but my point is even after one month i disabled the user
 what can do with his or her emails
and in case i did the following

1- disabled the AD account
2- take the emails as PST and archive them

then let us say the user come back . so i can enable his AD account again and bring his or her old emails  

but the question right now i have around 300 disabled account and emails already archived

my point i want to delete these accounts  permanently because i cant keep a lot of disabled objects inside AD

but my colleague agents me  he said we have to keep them all and keep there emails for some years

maybe we need them for any reason technical or legal .

any advice in this direction ?

David Johnson, CD, MVPOwnerCommented:
but my colleague agents me  he said we have to keep them all and keep there emails for some years
maybe we need them for any reason technical or legal
Consult with HR on this. Since you have the mail archived you can IMHO you could delete them. Some companies have a policy of deleting all email > 1 year (some even less)  If you don't have it then an e-discovery hold won't find it.

There should be a clear cut corporate policy on this. No guessing or opinions.
David Johnson, CD, MVPOwnerCommented:
disabling the account should be done while the employee is in their termination meeting, whether a friendly or a not-so-friendly conversaiton

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ed DreddCommented:
Yes, clear policy on that should be in place.
nagendra prasadSr System AdministratorCommented:
may be this option works

like once the employee leave the organization we generally move his mailbox to AD/Disabled_Object/Peoples OU , if in case he returns we enable it and move it back to AD/Peoples/Employees/Location. and we will not have any policy applied on this AD/Disabled_Object/Peoples OU .
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.