Hello! Recently I discovered a user account which is existing on every server that has a special support software installed on my servers at the 'Company'. Asking the IT Technical Leader, he could not exactly determine what that account was created and needed for. I turned to the specific software support team to get the wanted information. They could not handle a proper, clear information. ("Their software uses it for 'something'...") My primary question would be if this user account could be deleted without further consequences, or not. The scenario, in details: non DC Windows Server 2003 Standard (and other versions also) have a disabled useraccount, memeber of the Administrators local group of the machines. Both my team memebers, and older colleagues told me that account is needed for the support software to run. I have checked the following: - The user account is disabled. - The last modify date of the user account almost matches the creation time (few minutes difference, back in 2009) - net user <username> showed the user account NEVER logged in. - support software runs for ages on these systems(since ~2009). My question, considering the above: Could a disabled user account be used for any purposes, if it never logged in, and if it was not modified after the installation wizard of the support software created it? Can disabled user accounts be used for anything in general, elevating rights, any other purposes, which would not result in a logged authentication which would be shown as last-login date??? Personally, I consider a disabled account being member of Administrators local group as a security threat. What are your concerns about it? Thank you very much, please inform me if I have missed any vital information, and I'll get it asap.

At first it is not recommended to delete user accounts. Just disable it. This is because a user may have some explicit permissions and when you delete account you rill unable to determine which user account held these permissions (instead of user name SID will be displayed). Disabled user cannot be used for any purposes unless it is authenticated out of Active Directory authntication services (for example, custom authentication to an application).My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

I've got your point. 1. Isn't a disabled account making a system less secure than the system would be without that account at all? - please consider the theoretically possible worst case scenario(inner-system threat, etc). 2. If it would be used for custom authentication, would it have any sense on earth to be a member of Administrators local group? My objective here would be to point out that the solution used is definitely not a best practice and to catch it with a good reason. Also I never saw disabled windows accounts used by any applications using custom authentication methods. Custom authentication usually comes with custom stored user accounts, and not the ones stored on an other system, or subsystem. Thanks in advance.

> Isn't a disabled account making a system less secure than the system would be without that account at all? while an account is disabled there are no additional security implications, because this account cannot be authenticated anywhere in Windows. > If it would be used for custom authentication, would it have any sense on earth to be a member of Administrators local group? no. Because group membership make a sense only when an account is successfully authenticated (is not possible for disabled accounts) in Windows. I'm not sure about behavior of 'net user' command, but you need to consider that there are various logon types. For example, a dedicated user account can be used for some services. In this case an account may not has interactive logon permissions, but has "logon as a service" permissions.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki