Standard Procedure for disabled user accounts

  • Thread starter Thread starter cclark
  • Start date Start date
C

cclark

I was wondering if there is an industry standard for the expiration of "user
accounts" of users who have left the company? Is it an industry standard to
just delete the account after a certain time period? Any input or
documentation would be very much appreciated.

Thanks,
cclark
 
cclark said:
I was wondering if there is an industry standard for the expiration of
"user
accounts" of users who have left the company? Is it an industry standard
to
just delete the account after a certain time period? Any input or
documentation would be very much appreciated.
Click to expand...

It's up to the organization. Factors in the decision would be the password
expiration policy, security concerns, sensitivity of resources, consequences
of a breach of security, type of user (admin or regular user), etc. Many
organizations first disable stale accounts, and possible move them to
another OU to keep track of them. An account may be considered stale if the
password has not changed (or the user has not logged on) in 60, 90, 120, or
whatever number of days. If the account has been disabled for another period
of time with no complaints, it is probably save to delete it.
 
Richard Mueller said:
It's up to the organization. Factors in the decision would be the password
expiration policy, security concerns, sensitivity of resources, consequences
of a breach of security, type of user (admin or regular user), etc. Many
organizations first disable stale accounts, and possible move them to
another OU to keep track of them. An account may be considered stale if the
password has not changed (or the user has not logged on) in 60, 90, 120, or
whatever number of days. If the account has been disabled for another period
of time with no complaints, it is probably save to delete it.
Click to expand...

Thanks Richard,

So there is no standard industry procedure for retention/deletion of
accounts of employees who have left the company. What would be the pros and
cons of deleting these old user accounts? Now that I think about it, I
should ask the same question about Exchange mailboxes of employees who have
left company.

Thanks,
cclark
 
some disable it and keep it
some delete it right away
some disable it and strip it (e.g. group memberships) and after a while
delete it

for all scenarios something also needs to be done about data like
homedirectory, mailbox, receiving mail, hiding in addressbook,etc

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
 
Thanks Richard,

So there is no standard industry procedure for retention/deletion of
accounts of employees who have left the company. What would be the pros
and
cons of deleting these old user accounts? Now that I think about it, I
should ask the same question about Exchange mailboxes of employees who
have
left company.

Thanks,
cclark
Click to expand...

There is no standard. I know of companies that use 6 months, I think some
use a year, 3 months may be more common. Some companies have no policy (I've
been involved in fixing the mess). Many companies insist that accounts be
deleted immediately, especially if an employee is fired, but this requires
knowing for sure the employee has left.

If there is way to reliably know when an employee has left (from HR for
example), the account should be disabled and deleted immediately. Then
Exchange mailboxes can be dealt with. Also, you may have retention policies
requiring all email messages be retained for a period. The only reason not
to delete an account immediately is because you are not positive the person
has left, perhaps because you flagged the account for inactivity in the last
3 months and there is a chance they are on leave. Disabling the account
first is a common solution.

I was involved with a company division that was sold and we had to delete
1500 accounts in the old company immediately (of course the effective time
was midnight). We spent weeks after that with Exchange, file systems,
computers, mainframe resources, etc.
 
Richard Mueller said:
There is no standard. I know of companies that use 6 months, I think some
use a year, 3 months may be more common. Some companies have no policy (I've
been involved in fixing the mess). Many companies insist that accounts be
deleted immediately, especially if an employee is fired, but this requires
knowing for sure the employee has left.

If there is way to reliably know when an employee has left (from HR for
example), the account should be disabled and deleted immediately. Then
Exchange mailboxes can be dealt with. Also, you may have retention policies
requiring all email messages be retained for a period. The only reason not
to delete an account immediately is because you are not positive the person
has left, perhaps because you flagged the account for inactivity in the last
3 months and there is a chance they are on leave. Disabling the account
first is a common solution.

I was involved with a company division that was sold and we had to delete
1500 accounts in the old company immediately (of course the effective time
was midnight). We spent weeks after that with Exchange, file systems,
computers, mainframe resources, etc.
Click to expand...

Thanks for the input. We receive a weekly report from HR concerning
employees that are no longer with the company. We disable the account
immediately but we do not delete the account. I noticed a huge amount of
disabled accounts. I am trying to understand why we do not delete the
account. I was told that Exchange information is linked to the user account
thus it is purged also. I guess most shops have some type of archiving
solution for exchange mailboxes that would allow them to retain the content
of a mailbox. The archive solution would allow them to purge the exchange
account without fear of losing data.

Thanks,
cclark
 
Back
Top