Active Directory: Disabling and Deleting User Accounts

4 min. read

The Ticket: The Immediate Termination

Today, a client just let go of a disgruntled employee and they need their access killed "yesterday." The instinct for a Tier 1 tech is often to just hit the delete key and move on. Don't do that. Deleting an account is a destructive, irreversible action that can break file ownership and halt forensic audits. In the MSP world, we disable first and delete only after a 30, 60, or 90-day retention period has passed.

Pre-Flight Check

• Permissions: Domain Admin or Account Operator rights.
• Tools: Active Directory Users and Computers (ADUC) or PowerShell.
• Impact: High - The user is immediately disconnected from all domain-authenticated services (Email, File Shares, VPN).

The Solution

1. The "Safety First" Method (Disable) This is the industry standard for offboarding. It kills the user's ability to log in but keeps the account object and its unique identifiers intact.

• GUI Method: Open ADUC, find the user, Right-click > Disable Account.
• PowerShell Method: Disable-ADAccount -Identity "username"

2. The "Nuclear" Method (Delete) Only use this if the account was created by mistake (e.g., a typo in the username) and has never been used.

• GUI Method: Right-click > Delete.
• PowerShell Method: Remove-ADUser -Identity "username"

The "Why" (Root Cause)

The reason we prioritize disabling over deleting comes down to the SID (Security Identifier). Every object in Active Directory is assigned a unique, immutable SID (e.g., S-1-5-21-...-1105). Windows uses this SID (not the username) to determine who owns a file or who has permission to a folder.

If you Delete the account, that SID is gone forever. Even if you create a new user with the exact same name, they get a new SID. Any files encrypted with the old user's certificate or private permissions assigned specifically to that user become "orphaned," appearing as a string of random numbers in the Security tab. By Disabling the account, you "freeze" the SID in place. This allows a manager or successor to access the former employee’s files without a permissions nightmare.

Under the Hood (Technical Deep Dive)

When you disable an account, Active Directory modifies the userAccountControl attribute. This is a bitmask, a single integer that represents multiple flags.

A typical "Normal Account" has a value of 512 (0x200). When you click Disable, Windows adds the ACCOUNTDISABLE flag (0x02), changing the value to 514. During the next Kerberos handshake or NTLM authentication attempt, the Domain Controller sees that 0x02 bit is flipped and refuses to issue a TGT (Ticket Granting Ticket), effectively locking the user out of the entire network instantly.

If the user is currently logged in, disabling the account won't always kick them out of their active desktop session immediately, but it will prevent them from accessing any new network resources (like opening a new file share or refreshing their email) because their existing Kerberos tickets will fail validation against the now-disabled account object.

RMM & Automation Tips

• Termination Script: Build an RMM "Offboarding" script that does more than just disable the account. It should:
  1. Disable the AD Account.
  2. Move the user to a "Disabled Users" or "Terminated" OU.
  3. Strip all Group Memberships (except Domain Users).
  4. Set the Description field to: "Disabled per Ticket #12345 on [Date] by [TechName]".
• Audit Cleanup: Set your RMM to run a monthly report for any accounts that have been disabled for more than 90 days. This is your "Clean Up" list for final deletion after the data retention policy has been met.

Troubleshooting & Edge Cases

• Edge Case 1: M365 Sync: If the client uses Azure AD Connect, disabling the local AD account will sync to the cloud and disable their Microsoft 365 account automatically (usually within 30 minutes). You do not need to disable it in both places.
• Edge Case 2: The Re-Hire: If an employee returns, simply Right-click > Enable Account. Since the SID never changed, they will immediately regain access to all their old files and folders as if they never left.