Delete or disable an Active Directory account? One best practice.
I was recently talking to a customer about the best practice for deprovisioning a terminated employee in Active Directory. Delete or disable? Microsoft doesn't give the clearest direction on this but common sense does.
The case for deleting an account is that, BOOM, no more access. No ifs ands or buts, if there is no account it cannot do anything. The case for disabling an account is that all of the SIDs are still attached to the account and you can bring it back and get the same access right away. Sort of like how your mother never threw out egg cartons; you never know when you might need them.
And then the reason for MSFT's lack of direction came into play. Individual needs of the customer. This particular customer is a public school system and they often lay off an employee and have to re-hire them the next month or semester. They need that account back (and the teacher probably needs the egg cartons for some art project).
So disabling the AD account is key, the best way to go about it. But, like Mom with the egg cartons, you don't want to be a hoarder. Keeping all of those disabled accounts in your production user OU is just bad form. And a very slight, but possible, security risk.
So, we recommend moving disabled AD accounts to a non-production OU as part of your deprovisioning/disabling process. With GroupID Synchronize, it's simple, just insert a powertool into the job that moves the account to another OU as soon as the account is disabled. Place the reverse in your "bring back to the fold" provisioning/enabling job and you have satisfied all of your requirements.
It's then easy to manage the "disabled user" OU; if an account has been there too long, delete it. You get to decide the policy based on your individual needs.
