Is there any real risk associated in leaving accounts in AD in a disabled state over a long period of time. Either where account enabled = FALSE, or a historic account expires date has been set and therefore taken effect. I have found a batch of these accounts during a review, often with no login activity in a few years either, which I want to suggest are deleted, but I am not sure how much risk there is in leaving such objects in place. Can you think of anything in particular why this is a poor practice, from a general maintenance or security perspective ? Or does it pose no real risk whatsoever?