A few novice questions for a non windows admin. Why are domain accounts disabled when a user leaves the company rather than deleted? Does disabling an account put some form of timer on the account that it will be deleted in 6 months after it was disabled, or do admins go in and manually delete older disbaled accounts? if it is the timer kind of issue - where can you see in ADUC how long the account wiull stay disabled before being deleted? And also if a domain user who is disabled has a mailbox, does the mailbox stay on exchange until the user is deleted from AD, i.e. delete domain account from AD and mailbox automatically gets deleted from exchange... or do the exchange admins have to manually check for stale mailboxes and delete them that way?

Why are domain accounts disabled when a user leaves the company rather than deleted? If the user leaves the company and will never go back then there is no need to disable his account as it will not be used again by him. For that, I recommend its deletion. Does disabling an account put some form of timer on the account that it will be deleted in 6 months after it was disabled, or do admins go in and manually delete older disbaled accounts? No, never heard about that. Admins go to delete it or develop a script to delete it. And also if a domain user who is disabled has a mailbox, does the mailbox stay on exchange until the user is deleted from AD, i.e. delete domain account from AD and mailbox automatically gets deleted from exchange... or do the exchange admins have to manually check for stale mailboxes and delete them that way? This is an Exchange question. It will be better to ask in Exchange forums. This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration

Are there any other reasons why a domain account would be disabled as opposed to them leaving the company? Why else would/could a domain account come to be disabled?

Are there any other reasons why a domain account would be disabled as opposed to them leaving the company? Yes. Example: An employee is in vacation and will be back after a month and does not need to use his account. In this case, for security reasons, his account should be disabled. Another example: You have trainees that will come after a month and you created for them accounts that will not be used by them immediately. In this case, for security reasons, it is recommended to disable their account until they arrive. This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration

Disabling users is often used for consultants and other temporary workers as it is easy to reenable them if they come back to do more work. Another use is the ability to access the user's files even if encrypted. Maybe not legal everywhere, but still a possibility. There is no official best practice saying you should just disable users that quit. If you don't expect people to come back then delete the object. When it comes to the exchange mailbox it can be deleted at the same time as the user. When deleting a user with a mailbox then one of the questions you get is if you want to also delete the mailbox. If you choose to do so the default setting in Exchange is to keep it until it is backed up before actually deleting it. This may of course have been changed by your Exchange admin.

Another use is the ability to access the user's files even if encrypted. Maybe not legal everywhere, but still a possibility. Could you explain this further in laymans/management speak -- sounds interesting!

If a user has encrypted files by right click -> Properties -> Advanced -> Encrypt... and you don't have a recovery agent in place (requires active PKI infrastructure and configuration) then that user is the only one who can unencrypt the documents. If you delete the user then noone else can access these files.