(Msg. 1) Posted: Wed Sep 24, 2008 4:50 pm
Post subject: Standard Procedure for disabled user accounts Archived from groups: microsoft>public>win2000>active_directory (more info?)
I was wondering if there is an industry standard for the expiration of "user
accounts" of users who have left the company? Is it an industry standard to
just delete the account after a certain time period? Any input or
documentation would be very much appreciated.
(Msg. 2) Posted: Wed Sep 24, 2008 5:35 pm
Post subject: Re: Standard Procedure for disabled user accounts [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
cclark wrote:
>I was wondering if there is an industry standard for the expiration of
>"user
> accounts" of users who have left the company? Is it an industry standard
> to
> just delete the account after a certain time period? Any input or
> documentation would be very much appreciated.
>
It's up to the organization. Factors in the decision would be the password
expiration policy, security concerns, sensitivity of resources, consequences
of a breach of security, type of user (admin or regular user), etc. Many
organizations first disable stale accounts, and possible move them to
another OU to keep track of them. An account may be considered stale if the
password has not changed (or the user has not logged on) in 60, 90, 120, or
whatever number of days. If the account has been disabled for another period
of time with no complaints, it is probably save to delete it.
(Msg. 3) Posted: Thu Sep 25, 2008 3:16 pm
Post subject: Re: Standard Procedure for disabled user accounts [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
"Richard Mueller [MVP]" <rlmueller-nospam.RemoveThis@ameritech.nospam.net> wrote in
message news:OyOUhXpHJHA.3548@TK2MSFTNGP05.phx.gbl...
> cclark wrote:
>
> >I was wondering if there is an industry standard for the expiration of
> >"user
> > accounts" of users who have left the company? Is it an industry standard
> > to
> > just delete the account after a certain time period? Any input or
> > documentation would be very much appreciated.
> >
>
> It's up to the organization. Factors in the decision would be the password
> expiration policy, security concerns, sensitivity of resources,
consequences
> of a breach of security, type of user (admin or regular user), etc. Many
> organizations first disable stale accounts, and possible move them to
> another OU to keep track of them. An account may be considered stale if
the
> password has not changed (or the user has not logged on) in 60, 90, 120,
or
> whatever number of days. If the account has been disabled for another
period
> of time with no complaints, it is probably save to delete it.
>
> --
> Richard Mueller
> MVP Directory Services
> Hilltop Lab - http://www.rlmueller.net > --
>
>
Thanks Richard,
So there is no standard industry procedure for retention/deletion of
accounts of employees who have left the company. What would be the pros and
cons of deleting these old user accounts? Now that I think about it, I
should ask the same question about Exchange mailboxes of employees who have
left company.
(Msg. 4) Posted: Thu Sep 25, 2008 4:58 pm
Post subject: Re: Standard Procedure for disabled user accounts [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
>
> Thanks Richard,
>
> So there is no standard industry procedure for retention/deletion of
> accounts of employees who have left the company. What would be the pros
> and
> cons of deleting these old user accounts? Now that I think about it, I
> should ask the same question about Exchange mailboxes of employees who
> have
> left company.
>
> Thanks,
> cclark
>
There is no standard. I know of companies that use 6 months, I think some
use a year, 3 months may be more common. Some companies have no policy (I've
been involved in fixing the mess). Many companies insist that accounts be
deleted immediately, especially if an employee is fired, but this requires
knowing for sure the employee has left.
If there is way to reliably know when an employee has left (from HR for
example), the account should be disabled and deleted immediately. Then
Exchange mailboxes can be dealt with. Also, you may have retention policies
requiring all email messages be retained for a period. The only reason not
to delete an account immediately is because you are not positive the person
has left, perhaps because you flagged the account for inactivity in the last
3 months and there is a chance they are on leave. Disabling the account
first is a common solution.
I was involved with a company division that was sold and we had to delete
1500 accounts in the old company immediately (of course the effective time
was midnight). We spent weeks after that with Exchange, file systems,
computers, mainframe resources, etc.
(Msg. 5) Posted: Thu Sep 25, 2008 11:52 pm
Post subject: Re: Standard Procedure for disabled user accounts [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
some disable it and keep it
some delete it right away
some disable it and strip it (e.g. group memberships) and after a while
delete it
for all scenarios something also needs to be done about data like
homedirectory, mailbox, receiving mail, hiding in addressbook,etc
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"cclark" <cclark DeleteThis @nospam.org> wrote in message
news:eYZOY#oHJHA.1940@TK2MSFTNGP03.phx.gbl...
> I was wondering if there is an industry standard for the expiration of
> "user
> accounts" of users who have left the company? Is it an industry standard
> to
> just delete the account after a certain time period? Any input or
> documentation would be very much appreciated.
>
> Thanks,
> cclark
>
>
(Msg. 6) Posted: Thu Oct 02, 2008 11:12 am
Post subject: Re: Standard Procedure for disabled user accounts [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
"Richard Mueller [MVP]" <rlmueller-nospam.RemoveThis@ameritech.nospam.net> wrote in
message news:esn2Yn1HJHA.4240@TK2MSFTNGP02.phx.gbl...
> >
> > Thanks Richard,
> >
> > So there is no standard industry procedure for retention/deletion of
> > accounts of employees who have left the company. What would be the pros
> > and
> > cons of deleting these old user accounts? Now that I think about it, I
> > should ask the same question about Exchange mailboxes of employees who
> > have
> > left company.
> >
> > Thanks,
> > cclark
> >
>
> There is no standard. I know of companies that use 6 months, I think some
> use a year, 3 months may be more common. Some companies have no policy
(I've
> been involved in fixing the mess). Many companies insist that accounts be
> deleted immediately, especially if an employee is fired, but this requires
> knowing for sure the employee has left.
>
> If there is way to reliably know when an employee has left (from HR for
> example), the account should be disabled and deleted immediately. Then
> Exchange mailboxes can be dealt with. Also, you may have retention
policies
> requiring all email messages be retained for a period. The only reason not
> to delete an account immediately is because you are not positive the
person
> has left, perhaps because you flagged the account for inactivity in the
last
> 3 months and there is a chance they are on leave. Disabling the account
> first is a common solution.
>
> I was involved with a company division that was sold and we had to delete
> 1500 accounts in the old company immediately (of course the effective time
> was midnight). We spent weeks after that with Exchange, file systems,
> computers, mainframe resources, etc.
>
> --
> Richard Mueller
> MVP Directory Services
> Hilltop Lab - http://www.rlmueller.net > --
>
>
Thanks for the input. We receive a weekly report from HR concerning
employees that are no longer with the company. We disable the account
immediately but we do not delete the account. I noticed a huge amount of
disabled accounts. I am trying to understand why we do not delete the
account. I was told that Exchange information is linked to the user account
thus it is purged also. I guess most shops have some type of archiving
solution for exchange mailboxes that would allow them to retain the content
of a mailbox. The archive solution would allow them to purge the exchange
account without fear of losing data.
All times are: Eastern Time (US & Canada) (change)
Page 1 of 1
You can post new topics in this forum You can reply to topics in this forum You can edit your posts in this forum You can delete your posts in this forum You can vote in polls in this forum
Home
Forums
Home
FAQ
Profile
Private Messages
Log in
Windows Other