Active Directory: Account Disablement 2771



  • Hi - My apologies if this question has been asked and I have missed it: How have you been validating that the terminated accounts have been disabled in AD? I can’t rely on comments noted by the IT staff in helpdesk ticket that they have disable the account…I would think the auditor would want to see the time/date stamp in AD that the account was indeed disabled…Where can you see such evidence then? i.e. what log??
    Any info. you can share on how you’ve tested account termination, I would greatly appreciate it.



  • Hi - Yes, terminated accounts should be checked as it’s an important security control. Usually accounts are marked as disabled and the password reset to a random value.
    Usually, IT Security should be able to provide Audit with information or reports to help facilitate these types of analysis. I’ve also seen cases where auditors are granted privileges to review AD user accounts directly (or they may sit with someone in IT security and spot check also).
    More can be found in links below:
    http-and-#58;//www.google.com/search?hl=en-and-q=how to audit active directory
    http-and-#58;//www.google.com/search?hl=en-and-q=how to check active directory user accounts
    http-and-#58;//www.google.com/search?hl=en-and-q=Terminated active directory user accounts


Log in to reply