Ce site est optimisé pour être consulté depuis un navigateur moderne dans lequel JavaScript est activé.

Active Directory: supprimer vs. désactiver departed employees

ayi

When an employee leaves your organization, do you delete or disable their Active Directory account? Our SOP is to disable, export/purge the Exchange mailbox, and then after “some time” has elapsed (usually quarterly), delete the account.
Is there any need for that delay? After exporting and purging their mailbox, why shouldn’t I delete the account right then and there?

ayi_2

We disable the accounts. Their “descriptions” get updated to indicate the date of the departure, and they get moved in the AD hierarchy to a folder depending on what state of departure they are in (gone+email forwarded somewhere, gone+pre-archive, archived).
We have a large quantity of complex files and folder hierarchies. If you delete the account from Active Directory, and file/folder with explicit per-user ACLs will have that ACL data displayed as a SID. And I have not found any way to figure out from a SID which account it used to be – because the account has been deleted.
This way when people are looking at ownership/permissions issues which are behaving oddly, we can see (and delete) ownerships and permissions of people who are no longer present.
If you delete a user and later on you discover that he or She have encrypted some files and folders using EFS, you will not be able to decrypt them.
Update, much later: I learned from a colleague who is undergoing an audit from Microsoft that accounts in your AD require a “per-seat” license (if you are swinging that way), whether or not they are a real person and whether or not the person is still present. So there is an argument to be made for deletion!