AD best practise delete or just disable?

Question

As an IT company that delivers IT systems, servers and everything for our customers. I'm trying to find the best practice when it comes to Active Directory and users leaving the company. We have different types of costumers in different kind of businesses, both large and small. So, we have quite a few servers and many Active Directories to maintain. I have been told that we must never delete a User object in AD, that this is a big security issue if usernames are reused. The reason I was told is the risk that a new user would get the same username that have been used before, that might give him access that he should not have. Like access granted directly on a shared folder instead of through a security group.

I have researched and read a lot of documentation and other forum post on this topic and find myself not so sure. Everything I’ve learned about AD is that it uses a unique SID for every object that have nothing to do with the username. Because a username can be changed, the SID are not possible to be changed or reused. From what I have found, there looks like there are even a big risk to have the accounts stored as disabled In AD for a long period of time?

I have looked at the possibility to make a script that turns a username into a hash, that gets stored in a database we can have AD check if a username is available or been used before. So, we can delete user objects after a period. But now I’m wondering if it really is any reason to do all this work, if reuse of an old username is in fact so bad? The AD for some of our costumers have like 2000 disabled users, some more than 2 years old. We have created a new “OU” that we have separated from the Users and disabled ou, but still we want to remove them from AD, not seeing the reason to keep an object for serval years to avoid that the username would be reused.

I’m wondering if there is a known best practice on this, and what is the common thing to do? Is the biggest risk to reuse a username or to store it “forever”? Can there be a problem related to Ldap queries, citrix, exchange or other systems?

Thank you for any good advise and information.

Answer 1

The "not reusing usernames" thing sounds like cargo cult system administration to me. User permissions in an AD aren't internally assigned to a username but to the user object's Security IDentifier (SID), which for all intents and purposes is unique. In other words I would say you take bigger risks keeping outdated and disabled user accounts than keeping your various namespaces clear for when another John Smith happens to get hired.

By your name I suspect you may be subject to the GDPR or similar legislation, in which case you also stand to lose if you keep too much user data around for unnecessarily long.

So: Make sure you have a good and working backup strategy even for your AD. It may be a good idea to activate the AD Recycle Bin functionality for a reasonable time. Then create and test a procedure to delete user accounts and purge their data when user employment ends.