Retired Active Directory user accounts

Tiras25
Tiras25 used Ask the Experts™
on
How do everyone handling old user accounts in Active Directory?    Do you disable it and move to another OU?  Delete? Other options?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Director, Information Systems
Commented:
I disable accounts until I'm sure no one needs to log in as that person - 30 to 60 days.  After that, I delete the account.
Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018

Commented:
MaheshArchitect
Distinguished Expert 2018
Commented:
Its depends upon company policy

Some big companies keep accounts for 3 years, some keep 6 months, some keep 3 months etc

You need to decide how many days you want to keep accounts, off course you will have to disable it immediately after employee leave the organization

As an IT person Check with your HR and define policy for same.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

MASEE Solution Guide - Technical Dept Head
Most Valuable Expert 2017
Commented:
Enable RecycleBin if you are running 2008R2 or above..
https://blogs.technet.microsoft.com/aviraj/2009/03/01/windows-server-2008-r2-active-directory-recycle-bin-step-by-step-guide/

I created an OU "Disabled Users"  When someone leave I will keep the user for 90  days as disabled users.  
I will take a backup of mailbox if the user has a mailbox. If you have Veeam/BackupExec backup or any good backup this can be skipped.
Then every 3 months I will delete the users in this OU. And it really depens on your company.

if incase a user come back after deletion you can recover.
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd379509(v=ws.10)
MaheshArchitect
Distinguished Expert 2018
Commented:
you can recover until 180 days after deletion in case recycle bin is already enabled prior to account deletion

Once deletion past 180 days (beyond tombstone period) , you won't be able to recover it by any means, not even with AD system state backup as there is risk involved restoring system state backup older tan 6 months (i.e. beyond tombstone lifetime period)
Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018

Commented:
Very easy to increase Recycle bin period
MASEE Solution Guide - Technical Dept Head
Most Valuable Expert 2017

Commented:
Agree with Mahesh tombstone more than 180 days is not recommended.
But you can increase if you wish.
https://helpcenter.netwrix.com/Configure_IT_Infrastructure/AD/AD_Tombstone.html
RobertSystem Admin
Commented:
I identify them using dsquery
here is an example
dsquery user DC=domain,DC=com -inactive 30 -limit 0 >> C:\inactiveuser-30-weeks-argo-int.txt

Open in new window


Once identified I move them to another OU and disable them for a period of time before deleting. You can either script it out or manually move depending on how many are inactive.
Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018
Commented:
***Asking purely from a feedback point of view to improve my solution, and not to mock other answers or moan about not being marked as an answer***

Tira25 do you mind explaining why you consider dsquery a solution and not my tool ADCleanup?

Things to consider
  • dsquery etc. do not have the extra logic that my tool provides
  • tombstone is not Recycle bin
  • If you add a Recycle bin value of 365 days, you have the 365 days, the tombstone, deletion age and the dormancy age before you cannot recover it

My tool provides
  • It can move users/computers if they are dormant
  • It can skips servers and service accounts
  • It takes the password age into consideration
  • It first disables then deletes
  • It updates the computer descriptions of progress
  • It has a configured safety limit
  • Is a set and forget solution
  • Is complemented by Recycle Bin
  • You configure is according to your company policy
  • Disable accounts so you do not need to make sure no one needs to log in as that person
  • Is free
  • etc., etc.
When dealing with stale objects it's a common mistake to just disable/delete them and leave it this way. Even if you have the process automated, it's important that you properly deprovision the users, so that you don't leave any accounts in connected systems, any access rights hanging around, etc.

So, ideally, when you identify an old/inactive account, you should initiate a full termination process (btw, if you don't normally do that for users that are leaving, you should think about that as well)

As for the tools that you can use for that, here's a full PowerShell solution for these purposes that you can use: https://www.adaxes.com/blog/cleanup-active-directory-with-powershell.html

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial