Retired Active Directory user accounts

How do everyone handling old user accounts in Active Directory?    Do you disable it and move to another OU?  Delete? Other options?
LVL 17
Tiras25Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Paul MacDonaldDirector, Information SystemsCommented:
I disable accounts until I'm sure no one needs to log in as that person - 30 to 60 days.  After that, I delete the account.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Shaun VermaakTechnical SpecialistCommented:
MaheshArchitectCommented:
Its depends upon company policy

Some big companies keep accounts for 3 years, some keep 6 months, some keep 3 months etc

You need to decide how many days you want to keep accounts, off course you will have to disable it immediately after employee leave the organization

As an IT person Check with your HR and define policy for same.
Maximize Customer Retention with Superior Service

The IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more to help build customer satisfaction and retention.

MASEE Solution Guide - Technical Dept HeadCommented:
Enable RecycleBin if you are running 2008R2 or above..
https://blogs.technet.microsoft.com/aviraj/2009/03/01/windows-server-2008-r2-active-directory-recycle-bin-step-by-step-guide/

I created an OU "Disabled Users"  When someone leave I will keep the user for 90  days as disabled users.  
I will take a backup of mailbox if the user has a mailbox. If you have Veeam/BackupExec backup or any good backup this can be skipped.
Then every 3 months I will delete the users in this OU. And it really depens on your company.

if incase a user come back after deletion you can recover.
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd379509(v=ws.10)
MaheshArchitectCommented:
you can recover until 180 days after deletion in case recycle bin is already enabled prior to account deletion

Once deletion past 180 days (beyond tombstone period) , you won't be able to recover it by any means, not even with AD system state backup as there is risk involved restoring system state backup older tan 6 months (i.e. beyond tombstone lifetime period)
Shaun VermaakTechnical SpecialistCommented:
Very easy to increase Recycle bin period
MASEE Solution Guide - Technical Dept HeadCommented:
Agree with Mahesh tombstone more than 180 days is not recommended.
But you can increase if you wish.
https://helpcenter.netwrix.com/Configure_IT_Infrastructure/AD/AD_Tombstone.html
RobertSystem AdminCommented:
I identify them using dsquery
here is an example
dsquery user DC=domain,DC=com -inactive 30 -limit 0 >> C:\inactiveuser-30-weeks-argo-int.txt

Open in new window


Once identified I move them to another OU and disable them for a period of time before deleting. You can either script it out or manually move depending on how many are inactive.
Shaun VermaakTechnical SpecialistCommented:
***Asking purely from a feedback point of view to improve my solution, and not to mock other answers or moan about not being marked as an answer***

Tira25 do you mind explaining why you consider dsquery a solution and not my tool ADCleanup?

Things to consider
  • dsquery etc. do not have the extra logic that my tool provides
  • tombstone is not Recycle bin
  • If you add a Recycle bin value of 365 days, you have the 365 days, the tombstone, deletion age and the dormancy age before you cannot recover it

My tool provides
  • It can move users/computers if they are dormant
  • It can skips servers and service accounts
  • It takes the password age into consideration
  • It first disables then deletes
  • It updates the computer descriptions of progress
  • It has a configured safety limit
  • Is a set and forget solution
  • Is complemented by Recycle Bin
  • You configure is according to your company policy
  • Disable accounts so you do not need to make sure no one needs to log in as that person
  • Is free
  • etc., etc.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
IT Administration

From novice to tech pro — start learning today.