Just like our homes, Active Directory needs regular cleaning. We need to find the unused user accounts, computer accounts etc. and remove them periodically. Intruders, attackers, and unauthorized users often are very much interested in stale accounts. They make it a gateway to enter in to the Active Directory network. Practicing some healthy habits will ensure that the Active Directory is always clean and neat.
Here are some account disabling and deleting related tips that have been evolved from the experience of many AD administrators and organizations:
1. Disable the accounts of employees who are on long leave
You can disable the AD account of an employee when he or she goes on long leave. This account is to be enabled only when the employee returns after the leave. Thus, one can ensure that no activity is performed by anyone else through that account during the leave period of the employee.
2. Disable and then delete the accounts of departed employees
When an employee leaves the organization, his or her AD account should be disabled first. Disabled accounts can be enabled when there is a requirement. This is helpful when a departed employee decides to return to the organization after a short time. Also, one can check if some adverse consequences are there because of the deletion account. If some forensic investigation has to be done, it is necessary that this account remain undeleted. That is why initial disabling of the account is recommended.
When account is disabled, chance is there for an intruder to enable it somehow. So, after a fixed period (four months or a period decided by the organization) this account should be deleted permanently so that nobody can enable it again. It is also a good practice to backup or archive the Exchange data related to the account for future requirements.
3. Disable the Administrator account when not in use
The Administrator account, because of its full access and control rights, is the first target of malicious attempts. You cannot delete this account, but can rename it to misguide the intruders. When not in use, you can keep this account disabled (remember that even if disabled, it can be used in Safe Mode to access the Domain Controller).
4. Keep the Guest account disabled
The Guest account that gives access without password, (to users with no account and users with disabled accounts) is also a target of attacks. By default, this account is disabled. You are recommended to keep it in disabled status (you also can rename the account).
5. Delete unused user and computer accounts
Unused user accounts and computer accounts pose great security threats. You should disable them, delete them, or move them to a separate Organizational Unit.
6. Identify empty user groups and delete them (except default AD groups)
There may be many user groups with no users at all. Identify them and delete them to avoid security issues. Also, think of deleting near-empty user groups after relocating the users to a different group. But never delete default Active Directory groups even if they are empty.
7. Use a good cleanup tool like Active Directory Cleaner
Professional AD cleanup tools like Active Directory Cleaner help administrators very much in keeping the AD environment secure. Apart from providing detailed reports on dormant user and computer accounts, it helps them disable and delete them. One can move all the accounts to a separate Organizational Unit as well. Also, this tool helps them schedule the cleanup action.