Common sense tells you not to delete accounts at will. After an account is deleted, you can never get it back. The SID can be tracked, but it can never be resurrected. You have no undelete feature, and the account and SID are lost forever as active objects. If you want to render an account unusable, disable it. If you are an experienced administrator of Windows NT, this practice is not new to you, and disabling an account in Active Directory is easy. Just select the account in Active Directory Users and Computers and right-click. Choose Disable Account from the pop-up menu.
You can consider adopting a policy to delete any disabled account within a certain time frame — say, six months. Unless you have a very good reason to delete the account, however, leave it disabled indefinitely. Deleted accounts are like zombies. They return from their graves to haunt you. For example, temps often leave the company only to return six months later to perform similar duties, so re-creating the same account all over again, with the same access rights and permissions, group memberships, and so on, is a huge waste of time.
Was this article helpful?