Deleting Users from Active Directory

So… “Mike Jones” has recently left the company, and it is up to you to ensure that he no longer has access to the corporate network. This includes preventing him from accessing the PPTP VPN (we’ll touch on my loathing for PPTP VPN’s in a later post), the company terminal server and his personal e-mail.

Do you:

a) Delete Mike’s user account from Active Directory?

b) Disable Mike’s account?

c) Change Mike’s password (to something secure) and then disable the user account?

d) Change Mike’s password (to something secure), hide from Exchange address lists, remove the relevant e-mail addresses (a nice, easy way to prevent mail delivery to this account), remove the user from all distribution/security groups and then disable the user account?

If you answered a) to the question above, you have either been working in IT less than 6 months OR you’re the kind of systems administrator that everyone despises for your incompetence.

Quite a few people will answer b), as disabling the account would provide the required solution. The problem with just disabling the user account is it’s a lazy and incomplete solution. What happens if the account gets re-enabled at some point? The password will be the same as before, which poses a substantial security risk. We need to go further.

Now c) is a decent enough solution. It fills the requirements listed above, but still doesn’t go quite far enough in my opinion. The disabled account is still able to receive e-mail,  and will still appear in the GAL (this isn’t always true, but it happens most of the time).

Finally, we reach d), which is the method that I use for disabling an account. There are often additional things that you have to consider when disabling an account, but if you follow the instructions that d) contains, you won’t go too far wrong.

My favourite reason for NOT using d) is that “the user/client/MD/receptionist told me to delete the account”. This is NOT a reason. This is a horrible, horrible excuse, that has no place in a well administered Active Directory network. If a user told you to change the global sending limit on messages from 10MB to 100MB, would you listen to them without hesitation or further investigation? I hope not. Just because someone tells you to delete account, doesn’t mean that you shouldn’t follow proper procedure. Make an OU to house your disabled user accounts, and explain the process for disabling users to anyone with sufficient rights to do so. Ignorance isn’t a good excuse for deleting an account.

So what’s the big issue with deleting a user account?

The main issue is how difficult it is to recover a deleted user, if they return to the company OR if you need to get access to their account for some reason (like the MD needs to get hold of an old e-mail that was sent by the deleted user). Deleting a user removes ALL of it’s attributes from Active Directory and marks the object as a “tombstone”, that is fully removed in 60 days (by default). Alternatively, if you disable the user (using the method above), you still prevent that user from accessing his/her corporate information AND you make future recovery much, much easier.

If you DO manage to delete a user account and want to get it back, then please download THIS application and start the road to recovery…

To conclude:

Don’t delete users from Active Directory.

Do change the user’s password (to something secure), hide them from Exchange address lists, remove the user from all distribution/security groups and then disable the user account. You may also want to remove the relevant e-mail addresses from the user account (a nice easy way to prevent mail delivery).

- James | April 2009

Post a Comment

You must be logged in to post a comment.