I used to keep them around but with very long passwords, disabled, in a separate OU with all kinds of restrictions on them, and put their status as user. I had to do this for audit reasons and because some times I had to re-enable the account to get information off of various backup sources.
Jon On Mon, Nov 14, 2011 at 11:48 AM, David Lum <[email protected]> wrote: > I have our internal auditor asking if we can keep disabled AD accounts > around for a calendar year and ditch them on Jan 1 of each year. The reason > is she can pull reports from AD regarding security audit information, etc. > **** > > ** ** > > My kneejerk to me is to kill ‘em, but having them disabled in their own OU > (I kind of feel like they should be in a non-delegated OU too) doesn’t give > me that big of a heartache. Anyone care to share their opinion?**** > > *David Lum* > Systems Engineer // NWEATM > Office 503.548.5229 //* *Cell (voice/text) 503.267.9764**** > > ** ** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
