Re: Why removing unused accounts

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
Date: Wed, 24 May 2006 21:30:24 -0400

As long as the accounts are disabled and the passwords are scrambled there is no chance of them being used as a security issue. I would make sure that they are stripped of all group memberships except their primary group and all exchange attributes cleared as well.

I would also toss them into an OU that is locked down such that only some special group can see them. The reason for that would be to avoid the one issue I would have with keeping them, the fact that they would add to the time required to do queries for user objects, if you have them out of the way and locked down so most folks can't see them they will have minimal impact on queries.

A better mechanism might be to delete them and just store all IDs in ADAM and never delete them from ADAM, that way you can track every ID ever created.

Outside of that, if you have A LOT of turnover, you may start to impact DIT size after a bit which could be another concern. But again stripping the objects to minimal attributes should help with that as well.

But anyway, this isn't unheard of.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net

---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

Tweety wrote:

Can anyone tell me why I should remove old unused disabled accounts?
A customer 's domain contains about 10000 user accounts of which 1500
are disabled.
This domain is a tree of our forest. The DC are GC.
I try to convince the networkadministrator to delete the disbaled
unused accounts, but he is not willing to do that. He wants to keep the
accounts and use the AD as inventory and history list of all accounts
ever made.
So I'm looking for some good reasons for removing these accounts.
Replication is no issue as only changes are replicated.

Suggestions?

Follow-Ups:
- Re: Why removing unused accounts
  - From: Tweety

References:
- Why removing unused accounts
  - From: Tweety

Prev by Date: Re: Should Active Directory be defragmented?
Next by Date: Re: Global Catalog Servers replication
Previous by thread: Re: Why removing unused accounts
Next by thread: Re: Why removing unused accounts
Index(es):
- Date
- Thread

Relevant Pages

Re: ADC replication
... > ADCTools.log contains general problem accounts. ... > hours is long enough for replication. ... > Change a property on the mailbox this will cause ADC ...
(microsoft.public.exchange.setup)
Re: changing passwords
... Joe Richards Microsoft MVP Windows Server Directory Services ... Is there a way to scan a domain looking for these accounts being used on machines?" ...
(microsoft.public.windows.server.active_directory)
Re: Sql Service user account
... These accounts should be able to logon using cached credentials. ... Looking for a SQL Server replication book? ... SQLAGENT service if the salesman work disconnected of the network ...
(microsoft.public.sqlserver.replication)
Re: Replication Between Servers not on a Domain
... connected systems versus domain connected systems is the agent ... I ~think the issue revolves around the JOBs starting for replication. ... comes to mind is if the service accounts are running under restricted ...
(microsoft.public.sqlserver.replication)
Re: ADC2003 Issue - Help!
... One way CA's are an unsupported option for Exchange 5.5 upgrade last I ... To fix this, it sounds like it would be best to remove the OU and clear the ... > accounts etc.) back in August I successfully carried out a replication ... > new AD accounts did not create new objects in EX5.5. ...
(microsoft.public.exchange.design)