On Wed, Oct 21, 2009 at 3:58 PM, John Jasen <jja...@realityfailure.org> wrote: > David Parter wrote: > >>>> 3) request for the accounts to be locked, not deleted. I think Security >>>> will scream... >> > In old UNIX parlance, it was regarded as best practice to lock, disable > and otherwise completely neuter and lobotomize an account, but not to > delete it -- else you run the risk of a corner case where a new user > inherits the old UID. > > I presume the situation has changed?
Most of the SID identifies the domain and I believe AD keeps a counter of what the next SID should be and only increments, thus making it extremely unlikely that and old SID will be reused. (But still not impossible.) It is much more likely that a username will be reused. If an old manager account is deleted and a new account gets the same username, email address, etc. then it is very likely that they could get access and messages that were not intended for them. At the very least it would be confusing. As near as I can tell, Microsoft best-practices is to delete unused accounts. -- Perfection is just a word I use occasionally with mustard. --Atom Powers-- _______________________________________________ Discuss mailing list Discuss@lopsa.org http://lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
