What it costs you today
In a 1,000-employee firm a typical pentest finds between 80 and 140 accounts of ex-employees still active in AD, with security groups intact and M365 licenses assigned, 6 months after their last day. Each one is an account with a password that is never rotated, often without MFA, and with access to internal resources. The typical staff turnover is 18% per year, producing ~180 new accounts and ~180 accounts to disable every year; with a manual process 20% stay enabled past the first month. The legal risk is direct: GDPR requires deletion of ex-employee data within 30 days and SOX punishes orphaned privileged accounts. The opportunity cost measured in wasted licenses rounds USD 24,000 per year for every 100 seats with E5. "The pentest found 4 accounts of ex-executives with the Domain Admin group" is the real worst case. How many accounts of people who left are still open today?
What changes when you have it
On day one the operations team runs the pipeline once and sees how inactive accounts move through 3 states: 30 days idle → disabled with notification to the manager, 90 days → moved to the "Disabled" OU, 180 days → deleted with CSV log and entry in the audit file. Each manager notification includes a link to reactivate the account if it is still valid (employee on leave, suspended contract). The owner of the process is security and HR, which now share the same daily report. The visible output is the daily CSV with the next scheduled events and the auditable historical log. A regulated financial entity went from 132 orphaned accounts to 4 in a single sweep season and then to 0 sustained. The investment pays back in the first external audit cycle, typically 4 to 6 months.
FSM: active → disable → move OU → delete, with notifications
I want to implement this
Let's talk 20 minutes about your environment and review scope, architecture and the work plan together. No commitment.
Related projects
Morning Active Directory health check
One daily email with the real state of your AD: replication, lockouts, expired passwords, new GPOs.
Automated onboarding and offboarding
One script creates the user in AD, M365, groups, license and mailbox — or removes them cleanly in 30 seconds.
Password and out-of-policy account audit
Detects PasswordNeverExpires accounts, expired passwords, password age, and weak patterns.