Why do we only disable account but not delete?

I’m just making my way through the CompTIA course where the instructor mentions that when
member of staff is leaving the company we only disable his / her account but not delete.

Why ? Is it because we may need data on the account later on ?

1- Forensics. If your organization has a need to pursue legal action against an employee or contractor you will need the original account(SID).

2- Automated Tasks- Users, especially IT workers, tend to setup automated tasks to do thinks like run jobs, automate reports, recycle services, etc. Your going to be in a bind if you delete the user account before you realized there were complex jobs or tasks tied to the ID’s. You can’t simply recreate the account with the same name because the SID won’t be the same and that’s what the automated tasks look at not the visible name of the account.

If you disable first, you can always re-enable the account, change or recover the password, and your back in business until you get the job transitioned over to a legitimate service account.

If you delete a user and later on you discover that he or She have encrypted some files and folders using EFS, you will not be able to decrypt them.

2 Likes

Thanks for explanation.