33

When an employee leaves your organization, do you delete or disable their Active Directory account? Our SOP is to disable, export/purge the Exchange mailbox, and then after "some time" has elapsed (usually quarterly), delete the account.

Is there any need for that delay? After exporting and purging their mailbox, why shouldn't I delete the account right then and there?

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
Matt Rogish
  • 1,512
  • 6
  • 25
  • 41

12 Answers12

36

We disable the accounts. Their "descriptions" get updated to indicate the date of the departure, and they get moved in the AD hierarchy to a folder depending on what state of departure they are in (gone+email forwarded somewhere, gone+pre-archive, archived).

We have a large quantity of complex files and folder hierarchies. If you delete the account from Active Directory, and file/folder with explicit per-user ACLs will have that ACL data displayed as a SID. And I have not found any way to figure out from a SID which account it used to be -- because the account has been deleted.

This way when people are looking at ownership/permissions issues which are behaving oddly, we can see (and delete) ownerships and permissions of people who are no longer present.

If you delete a user and later on you discover that he or She have encrypted some files and folders using EFS, you will not be able to decrypt them.

Update, much later: I learned from a colleague who is undergoing an audit from Microsoft that accounts in your AD require a "per-seat" license (if you are swinging that way), whether or not they are a real person and whether or not the person is still present. So there is an argument to be made for deletion!

Angel115
  • 165
  • 1
  • 7
David Mackintosh
  • 14,223
  • 6
  • 46
  • 77
  • 3
    Good point with the SID on explicit ACLs – Matt Rogish Sep 10 '09 at 16:26
  • 3
    My manager uses this argument as well. To be honest I'm not in favour of just disabling accounts and would rather delete them. Best practice suggests you shouldn't explicitly permission users on ACLs and if the SID is just displaying, why not remove it? – fenster Sep 10 '09 at 17:26
  • 4
    Because "Best Practices" don't always happen in the real world, especially if you have users messing around with permissions themselves. Leaving the user name in there means you can search out a responsible person and (have them) decide what should happen now that the departed has... erm... departed. – David Mackintosh Sep 10 '09 at 18:17
  • 2
    Disabled accounts require a cal? That doesn't seem right. I understand enabled accounts, but really? – Jason Berg Aug 25 '10 at 03:26
  • 1
    Did MS give any details as to why that was the case? I've always heard that per user was per person, not per user account. – David Aug 25 '10 at 05:23
  • many places have "all you can eat" licensing from MS (especially schools), in my exposure - might be worth looking at that from an organizational perspective :) – warren Oct 03 '12 at 14:53
  • 1
    One thing we do when we disable accounts is we have an Organizational Unit in our domain called "Graveyard" where we move disabled accounts. Keeps them out of the way but still active in the system. We occasionally will delete older disabled accounts, but only after a review to ensure they are not listed an ACL or GPO somewhere. – myron-semack Mar 12 '15 at 13:50
17

Once they quit, they ain't coming back usually. I see no reason to hang onto old accounts. Here is what we do:

Files:

  • Go through their desktop (My Documents and Desktop usually) and archive their old data to the archive fileserver (just a few 1tb drives in RAID-5)
  • Back up their /user folder on the regular fileserver to the archive one as well.

Emails:

  • Back up all their emails (either in pst or just save their mailbox, depending on OS) and put it in a safe place. Sometimes managers need access to ex-employees mailboxes to retrieve specific emails.
  • If needed we set up an email forward to a manager or coworkers account until there is no more mail coming through.
dubRun
  • 1,079
  • 2
  • 12
  • 22
11

Here at my place of Higher Ed we have a disable and retain for 2 weeks policy.

  • When their account gets listed in Banner as 'inactive' the next night's batch processing will fire off the Disable process.
    • Their Novell accounts are disabled AND a login-time restriction put in place.
    • Their AD accounts are disabled AND a login-time restriction put in place.
    • Their Exchange accounts are set with a Delivery Restriction to themselves, forcing all mail to that account to bounce (new with Exchange 2007, disabled accounts can still receive mail).
  • Two weeks elapse, during which time managers may throw data-retention flags. We deal with special snowflakes during this interval.
  • At the end of two weeks accounts, user-directories, and mailboxes are purged.

Managers requesting access to user-directory data are given a CD, not direct access. FAR too often in the past said managers just use the user-directory as yet another file store.

Managers requesting access to emails are given a PST export of the mailbox, and not direct access.

Managers complaining that said 20 year veteran of the department was the sole point of contact for a certain critical function, and therefore they need to keep the name around so critical mails don't get bounced, get their hands held. We try to put an Out Of Office rule on the disabled mailbox stating that the person has left and please contact Person B instead. We then set a hard delete-date for that account suitably far in the future to make sure that the world knows that Person A is no longer here. We do NOT put that email address on another mailbox if we can at all help it. We are not always successful.

Sometimes that 20 year veteran was the prime secretary support for an area, and therefore was a Delegate of pretty much everyone with a calendar that needs managing. As soon as an account like that gets disabled, anyone sending an appointment to the managed calendars will get unusual bounce messages. Temporarily re-enabling the account stops the bounce messages while desktop staff go through and hand-remove the Delegates from all of the mailboxes. This can take a couple of days for the desktop staff to negotiate with the owners of said calendars to get in and make the needed settings. The account is then re-disabled and will be subject to the usual 2-week deletion. This is one 'feature' of Exchange that I particularly don't like.

sysadmin1138
  • 131,083
  • 18
  • 173
  • 296
8

I'm not a fan of immediately deleting an AD account after an employee or contractor leaves the company. I've found that it's best to disable for at least 30 days and then delete the disabled accounts 1-2 times a year.

There are a couple of reasons why you don't want to delete an account immediately:

1- Forensics. If your organization has a need to pursue legal action against an employee or contractor you will need the original account(SID).

2- Automated Tasks- Users, especially IT workers, tend to setup automated tasks to do thinks like run jobs, automate reports, recycle services, etc. Your going to be in a bind if you delete the user account before you realized there were complex jobs or tasks tied to the ID's. You can't simply recreate the account with the same name because the SID won't be the same and that's what the automated tasks look at not the visible name of the account.

If you disable first, you can always re-enable the account, change or recover the password, and your back in business until you get the job transitioned over to a legitimate service account.

4

We have pretty strict audit requirements, and are often asked to prove that a user was disabled, and when. To deal with this we tend to disable the account when we're told they've left. Move the disabled accounts to their own OU, and update the description with the date they've left (it also comes in handy for letting us disable people who disappear for a prolonged period of time and re-enable them when they come back).

Once they've gone for 6 months then we delete them.

Mike1980
  • 1,018
  • 7
  • 15
  • Can't that date be "gamed" or does AD, inside, store an inactive date that is not easily editable by Admins ? I guess you could look at last modified date but if you ever touch it you lose that history – Matt Rogish Sep 10 '09 at 16:34
  • It could pretty easily be changed, fortunately it's not come up yet :-) If it's ever queried there is always the last modified attribute of the user object which should have the same date as the date in the description field for when the account was disabled. – Mike1980 Sep 10 '09 at 17:09
  • Of course there's nothing stopping an admin from changing the date on the DC, modifying the account, and changing the date back... Forensics are really tough these days. – Chris S Aug 25 '10 at 02:42
4

If they are gone for more than 3 months, I delete their accounts. All our systems have GPO enforced desktop and folder redirection for My Documents/Desktop etc, so after deleting I archive those to my archive volume on the file server.

I am pedantic about using role based security groups on A/D for everything, so there are no users who have permissions to the file system or anything else implicitly applied, so no biggie deleting a user. Setting this up takes a bit of thought and head-scratching - but I really recommend one does it, as it does make managing permissions on a Windows Network a cinch.

As for exchange, I export the mailbox with ExMerge, and put the .pst with the archived folder, then setup forwarding or bounce messages depending on the role of the person that has left.

ColtonCat
  • 738
  • 3
  • 7
3

There can be a very big problem with deleting computer accounts: law.

Under the EU Data Protection Directive some member states (Poland in particular) require to never assign the same user ID to anybody else and at the same time, keep log of who and when had been granted access and when the access was revoked.

In short: if you deal with personal data, better ask a lawyer/legal team.

Hubert Kario
  • 6,351
  • 6
  • 33
  • 65
  • Does anyone have a source for the Polish requirement? I can't find this requirement in either the EU Directive, or the legislation implementing the directive for either Poland or the UK. – Adam Thompson Jan 21 '15 at 11:00
  • 1
    @AdamThompson: unfortunately I couldn't find it in English, but here it is in Polish: http://www.giodo.gov.pl/144/id_art/1002/j/pl/ (Dz. U. z 2004 r. Nr 100, poz. 1024) you can find it in Appendix A, § IV, point 1: "Identyfikator użytkownika, który utracił uprawnienia do przetwarzania danych, nie może być przydzielony innej osobie.", google translate does a decent job at it. – Hubert Kario Jan 21 '15 at 16:05
  • 1
    Correction, I found them here: http://www.giodo.gov.pl/409/id_art/209/j/en/ – Hubert Kario Jan 21 '15 at 16:08
  • Many thanks, Hubert. My reading of this would suggest that you can't reuse the same account, but creating a new account with the same name would be OK. The old "adam@example.com" account would be deleted, and perhaps later, a new "adam@example.com" account would be created - but it would have a different SID or UID and would therefore be a different "Identyfikator" / ID. Perhaps it's one for the lawyers to argue, although how that would work in the case of a civil (as opposed to common) law legal system, I'm not sure. – Adam Thompson Jan 22 '15 at 10:20
  • 1
    @AdamThompson: I'm quite sure that's an incorrect reading. See II.2. "b) access to data is available only after entering the identifier and user’s authentication." You don't enter the SID/ UID, you enter the human-readable username, so you can't have two users with "adam@example.com". Now, if you can create multiple accounts that share the same SID/UID... that I do not know, but probably is not allowed either. – Hubert Kario Jan 23 '15 at 13:44
3

The policy at the university I attended and worked-for is the following:

Students

  • upon withdrawal
    • disable account
    • 30 days later, delete if not re-enrolled
  • graduation + 90 days
    • disable account
    • create "alum" forwarding address
    • delete 30 days later

Staff / Faculty

  • upon leaving
    • disable account
    • delete 30 days later
warren
  • 17,829
  • 23
  • 82
  • 134
2

I work as a remote support (Elevated HelpDesk) technician for a fortune 500 energy utility. Beeing the nature of our business we have all types of scenarios ranging from contractors that come and go to the 20 year veteran as described above. From what I have seen our policy is cut aand dry.

All accounts have the last ticket number and date and type of change in the description field. E.g. Change Order 123456 Created on 00/00/00 by the access manager Terminated on 00/00/00 or Re-enabled on 00/00/00 by Manager's Name

Immediately upon notification of a discrepancy the HelpDesk disables the account. Upon confirmation or automatically after a set time the user to the disabled accounts OU and ads three tildes and the termination date (~~~00/00/00) to the display name to allow both IT and end users to quickly identify at a glance the user is no loner with the company.

I can't provide information on what happens to the data. I don't work in that department. But I do know after about a moth the account is gone completely.

These concepts of data and retention, while still protecting the organization from a disgruntled employee should be part of any organization's IT policies. But time in between each step will vary by the company.

It really does help us in desktop especially when troubleshooting messaging issues.

Hope this helps

growse
  • 7,830
  • 11
  • 72
  • 114
kokan90
  • 21
  • 1
2

If you've backed up all their data i don't see any reason to keep the active directory account. However I would keep their email account active and forward on their email to someone else incase a client contacts them or another associate.

Highstead
  • 214
  • 1
  • 7
2

I have two consulting clients of whom I used to be a full-time employee. My personnel number and everything is the same, and I'm pretty sure they never delete AD accounts - they just disable them - when I came back they just reinstated me.

The only issue I see there is that all my group memberships and accesses that are tied to my SID (AD group memberships only, I think) are still there, so if I was supposed to come back in a reduced capacity, reviewing those memberships would be a critical step.

Then, regardless of whether you delete and recreate or whether you disable and enable, if the samaccountname stays the same, ALL other systems that reference that user account would have to be scrubbed.

warren
  • 17,829
  • 23
  • 82
  • 134
Jason Kleban
  • 786
  • 3
  • 8
  • 19
1

We have people that routinely withdraw then return anywhere from a week to six months later. When we would disable the accounts we had some issue that I can't recall the nature of now...possibly email related? Some other warning? We changed our procedure instead so that the password is reset to something akin to gibberish and a note is placed into the description field detailing the situation so anyone else editing their user information would know it for reference.

The account is eventually rolled out no matter what once they are supposed to have graduated.

Deleting the account then and there...I'd say it's a matter of policy, but holding off does also have the benefit of "playing it safe" in case there's a mistake or a change of situation. Or there's ramification to simply deleting the data and suddenly someone needs access to certain files or information or mail, etc...but that can be handled through other means if you have policies in place to restore old information and whatnot. For us it's just easier to keep parts of the account around for awhile until it's settled that it won't be needed anymore, reduces some effort and headache later on.

Bart Silverstrim
  • 31,092
  • 9
  • 65
  • 87