I’m always surprised to hear of Active Directory user accounts being deleted as part of normal account management.
I was taught to never delete user accounts and every Active Directory environment I’ve managed has been the same. Instead an account is set to “disabled”, removed from any email distribution lists and moved to a “graveyard” container.
I can understand the intent – when you’re done with it, delete it. But there’s a lot more going on than just a users ability to log on.
Accounts are SIDs
When you think of a user account you most likely think of the account name – but the truth is an account is actually a SID (Security IDentifier) – this unique ID is what is used when referencing the user account.
This allows a user account name to change through its use, for example if the users legal name was changed without affecting effecting any existing permissions.
What happens when you delete an account?
By deleting the user account you’re removing the ability for Active Directory to display the account name – instead it will show the SID – which will look something like
{S-1-5-21-1004336348-1177238915-682003330-512}
Why Active Directory would need to display the account name?
Because Active Directory is an integrated environment – the account may have security permissions on a folder, a mailbox, scheduled tasks that run a program as well as audit logs for everything they did with the account.
What if you need to use the account again?
Just because the user has left doesn’t mean the account no long has a use.
I’m not suggesting that you recycle the account by giving it to another user, or allow their manager to use it – I’m talking about all the times you’re asked to create a new account based on a previous employees access, to check a mailbox, to set an out of office message. Or perhaps the user returns.
If the account wasn’t there to re-enable, those tasks become harder.
What about restoring the account?
Server 2012 introduced a “recycle bin” for deleted Active Directory objects. However it’s not enabled by default.
Even if you are lucky enough to be using Server 2012 AND have this enabled – the fact is it is MUCH easier to re-enable an account than restore from the recycling bin.
So what should I do?
There’s no official “best practice” advice from Microsoft for managing user accounts – but my advice is to never delete a user account.
When a user leaves and no longer needs an account your responsibility is to ensure the account cannot be used by the user whilst also being able to respond to any potential future requests like setting an out of office.
The most effective way to do this is to set the account to “disabled”.