AD account management for long term absentees

Question

Is there any particular best practice regarding domain accounts when it comes to users who are on long term leave (e.g., sick leave, maternity leave etc). Do you just keep their accounts enabled on the assumption they will return one day, or do you take any other measures to satisfy your security teams/auditors? I did read something many years ago around insurance and liability for users logging in whilst supposedly signed off work on long term sick leave. There may be other drivers as to why accounts for such scenarios should be temporarily disabled, trying to establish the risks in leaving the accounts enabled. The challenge could be ensuring they aren't then considered leavers in general account maintenance, and the user's data from home drives, mailboxes etc accidentally deleted.

Answer 1

Hi,

The best practice depends on your organisations Security process, the best practice is to move the users on long term leave to a seperate OU in AD and can be either disabled or kept enabled, but keep a note in the account with the details on the account if it is disabled and the reason for that. Disabling is preferred with complete notes in the account section.
Leavers can be in another OU named with specific Leaver OU, so you will need multiple OUs to differentiate Leavers,Disabled, LongTermAbsentees etc to manage the requiements.Also you can release the licenses if the user is away for long time so you can move licenses around and save cost.

Hope this helps.

==
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.