Best Practices - Disabling Users in Active Directory

Tools for disabling and de-provisioning users and groups in Active Directory

When a user goes on extended leave (e.g. maternity leave, military deployment), it's a good idea to disable their user account in Active Directory, to render it unusable until they return.  Also, as a best practice, user accounts are often disabled for a period of time before being permanently deleted, when a user leaves the company.  However, a disabled account is not fully protected from misuse.  A quick call to the help desk, by a disgruntled ex-employee or an outside attacker, could have the account re-enabled.  To combat this threat, your best practices for disabling accounts may include changing the password, recording and removing the user's group memberships, and more.

When it comes to groups, you may want to temporarily disable a group's access to shared folders and other resources, and wait to see if anyone complains or anything breaks, before you permanently delete the group. Unfortunately, Microsoft provides no straightforward way to disable groups using the native tools.  A partial solution would be to record and remove the members of the group, though this doesn't stop administrators from adding new users to the group.

In order to adhere to best practices, many manual steps may be involved if you want to thoroughly disable users and groups.  However, we've found a utility that can perform these processes with minimal effort.

Cayo SuspendTM for Active Directory is a snap-in for Active Directory Users and Computers.  It adds a suspend item in the context menu of users and groups.
When a user is suspended, a dialog box appears that allows the administrator to select various actions to perform on the account, which include disabling the account, scrambling the password, recording and removing the user's group memberships, moving the account to another OU, etc.

When a group is suspended, it's group type is changed so that it can no longer be used as a security group, it's group members are recorded and removed, and it is hidden from the Microsoft Exchange address book.

Since suspended users and groups are not deleted, their security identifiers remain intact, so that they can be easily re-enabled, and their historical security access can be included in security and compliance audits.  Also, a quick click will display a suspend report that includes the who, what, and when of the object's suspension.

During user and group suspension, the administrator can select an object retention period, after which the object can be either re-enabled or permanently deleted.  These automatic operations require another utility called Cayo Policy ManagerTM for Active Directory, which runs as a service and watches the directory for objects approaching the end of their retention period.

Cayo Suspend can even be used as a provisioning tool. When new employees join the company, it can take significant time to create the account, add the account to the required groups, and grant access to various resources.  This work can be done in advance, and then the account can be suspended until the employee's first day.

Installation is simple.  As a plugin to Active Directory Users and Computers, just download the software and install it on any administrative workstations where AD administration is performed.  No other infrastructure is required, unless you want to deploy Policy Manager to perform automated object retention activities.

Cayo Suspend provides an easier, more secure, and more compliant alternative to the traditional methods of disabling and deleting users and groups in Active Directory.  Learn more and download your free trial at


Post a Comment

Related Posts Plugin for WordPress, Blogger...