Win 2003 - Active Directory

[GSC]

Hi,

I have a question regarding "inactive" server/computer accounts in Active Directory.
We have sold a couple of our sites and I would like to know if we have any security issues by leaving the "inactive" server/computer accounts from the sold sites in our Active Directory?

Thanks for the help,

GSC

 

[PScottC]

In terms of security best practices, you should at least disable any unneeded accounts in all systems, not just AD. Depending on your industry, you may not want to actually delete old users.

For example: I used to work in a hospital. To ensure that electronically signed medical records did not have ambiguous names from re-use of a login, we kept all accounts after disabling them.

If you do not have a reason to keep the accounts, I suggest deleting them altogether.

PSC

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers

 

[ITPangaeaArchitect]

if you are at a large enough place to get audited (SOX/ISO compliance audits), then yes, this will be a security problem. They need to be disabled at 90 days and deleted by 120 days....

outside of that, there is no security issue with computer objects, as they could only be hijacked by someone with domain admin rights and extra hardware to load up with the same name...

-Brandon Wilson
MCSE00/03, MCSA:Messaging00, MCSA03, A+