All firms that has to fill positions with employees also deal with turnover. There are different rates, but regardless of the industry, this introduces a problem; how to deal with user accounts on a computer or application. Often, a firm will decide that since that employee is no longer associated with them, that user account can be deleted. After all, they won’t be needing it, right?
This is a pitfall that is much more dangerous than it seems. Deleting is a permanent action when it comes to user accounts. For example, deleting a Windows user account will make their files nearly impossible to access. Email accounts may still receive messages after they are deleted, and they will likely never be noticed by the firm. These reasons, among others, are the reason that IT professionals tend to prefer a different method: disabling user accounts.
Benefits to Disabling Users
Disabling accounts is a non-permanent way to render an account inactive while keeping it present in the business’ records. With respect to Windows, disabling an account simply removes its ability to be signed into. However, the benefit is two-fold. First, files, folders, and other associated items are still stored. This means that any important work is not lost and can be accessed by an administrator. Second, this helps with auditing. Suppose a user account JSmith is deleted. Years later, a new employee joins the business and is assigned JSmith as their username. This creates confusion as to which JSmith did what and may allow the new user to access applications above their intended permissions.
Email accounts should also be kept instead of deleted. An email sent to a deleted account will notify no one. The sender will assume it was delivered, and the organization will not notice any loss of functionality. Best practice for email accounts is to set up the old account to forward any incoming mail to an active user, and then removing its licenses. This configuration allows incoming mail to be received as intended, which reduces interruptions. With any account credentials, you will want to change the password on the account as soon as possible so it is not accessed inappropriately.
Have Policies in Place
All firms are different in nature, and each has different needs. Thus, there is no blanket answer for how to handle inactive accounts. Large firms may keep accounts in a disabled status indefinitely, as they have the resources to store these accounts and all the files associated. Smaller firms may think a full deletion is the answer, and if their needs call for it, they may be right to do so. However, the best practice may be a compromise; change the account password, disable the account for a year or more, and then delete it once it is certain that it will not be needed going forward. Regardless of the method a firm decides on, the important thing is to be consistent and let the decision be driven by policies and needs.