We désactivez le accounts. Their "descriptions" get updated to indicate le date of le departure, et they get moved in le AD hierarchy to a folder depending on what state of departure they are in (gone+email forwarded somewhere, gone+pre-archive, archived).
Nous avons a large quantity of complex files et folder hierarchies. If you supprimez le account depuis Active Directory, et file/folder avec explicit per-user ACLs will have that ACL data displayed as a SID. And J'ai pas found tout way to figure out depuis a SID qui account it used to be -- parce que le account has been deleted.
This way quand people are looking at ownership/permissions issues qui are behaving oddly, we can see (and delete) ownerships et permissions of people who are no longer present.
If you delete a user et later on you discover that he ou She have encrypted certains files et folders using EFS, you will pas be able to decrypt them.
Update, much later: I learned depuis a colleague who is undergoing an audit depuis Microsoft that accounts in votre AD require a "per-seat" license (if you are swinging that way), si ou pas they are a real person et si ou pas le person is encore present. So there is an argument to be made for deletion!
