Don’t trust your Active Directory Security to a single check-box!
Trusting the disable check box in Active Directory is risky if additional steps are not taken to ensure the the user account will not be re-enabled with unintended (possibly disastrous) consequences. Often the best practice steps are overlooked or not followed because of the additional time and manual effort they require. Most admins simply click disable and believe they have accomplished deactivated the account. Unfortunately, this means that a single check-box is the only thing standing between you and a security or compliance breach. If that check box is mistakenly or intentionally cleared the account immediate becomes active meaning a terminated employee would once again have access to the organization’s resources and the account may start showing up in un-expected places such as IM lists or Email Distribution lists.
No native Active Directory Feature to Disable Groups
Disabling a group is not a feature of Active Directory yet is often considered the #1 missing Active Directory capability. Because there is no way to disable an AD group you cannot easily prevent a group from being used while you analyze the group’s members or where the group is being used during an audit or security investigation.
Deleting breaks the Audit and Security Trail
Deleting is not an answer either. Immediately deleting obsolete or inactive users and groups is an unacceptable practice due to security and auditing requirements. Because deleted objects disappear from Active Directory they are no longer available for audits and security investigations. Most organizations require that obsolete or inactive users or groups be retained in a suspended state for up to 90 days before they are permanently deleted so that the IT Staff has time to cleanup group membership and security assignments and auditors can still follow the audit trail for that user or group.
Cayosoft Suspend for Active Directory solves these challenges by adding policy workflow to the process used for deactivating users and groups for sustained efficiency, security and compliance.
Forefront, Oracle Identity Manager, Courion Compatible
If your organization has invested in a Identity Manager, Meta-directory or synchronization tool to legacy applications or to create cloud accounts on Office 365 or Google Apps – disabling the account will have no affect on those accounts and they will remain active. Most likely the disabling those associated accounts will require an attribute to be updated in Active Directory that will signal the synchronization solution to de-provision the associated account.