On 11/14/2011 10:48 AM, David Lum wrote:
I have our internal auditor asking if we can keep disabled AD accounts
around for a calendar year and ditch them on Jan 1 of each year. The
reason is she can pull reports from AD regarding security audit
information, etc.
My kneejerk to me is to kill ‘em, but having them disabled in their own
OU (I kind of feel like they should be in a non-delegated OU too)
doesn’t give me that big of a heartache. Anyone care to share their opinion?
We have a special OU that disabled user accounts are moved to after the
account holder terminates. The account is disabled and the expiration
date set to the date the user terminated.The account stays there forever
as we don't delete user accounts. The OU has limited access so only a
small number of trusted admins are allowed to move users out of it. We
also have Quest ChangeAuditor letting us know whenever a user account is
enabled to ensure that it's a valid action.
al
-
Al Lilianstrom
[email protected]
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to [email protected]
with the body: unsubscribe ntsysadmin
