One thought on “Should you remove all rights from disabled accounts?

  • July 30, 2012 at 10:23 pm
    Permalink

    In theory, an organization could run a script daily to move disabled accounts into a disabled OU that no one except domain administrators had access to. That way, rights or no rights, the accounts are worthless to a hacker.

    I do know that deleting accounts from AD before removing them from some AD-dependent packages (like SharePoint) can create a mess, and when the same group of people doesn’t do both parts, it’s easier to disable the accounts and then wait a while before actually deleting them. In theory.

Comments are closed.

%d bloggers like this:
WordPress Appliance - Powered by TurnKey Linux