Skip to content
#06 Account lifecycle

Account lifecycle with staging and notice

Pipeline active → 30 days idle → disabled → 60 days → deleted, with daily report of what will be touched.

Implementation: 1 day 4 technologies
The pain

What it costs you today

In a 1,000-employee firm a typical pentest finds between 80 and 140 accounts of ex-employees still active in AD, with security groups intact and M365 licenses assigned, 6 months after their last day. Each one is an account with a password that is never rotated, often without MFA, and with access to internal resources. The typical staff turnover is 18% per year, producing ~180 new accounts and ~180 accounts to disable every year; with a manual process 20% stay enabled past the first month. The legal risk is direct: GDPR requires deletion of ex-employee data within 30 days and SOX punishes orphaned privileged accounts. The opportunity cost measured in wasted licenses rounds USD 24,000 per year for every 100 seats with E5. "The pentest found 4 accounts of ex-executives with the Domain Admin group" is the real worst case. How many accounts of people who left are still open today?

The value

What changes when you have it

On day one the operations team runs the pipeline once and sees how inactive accounts move through 3 states: 30 days idle → disabled with notification to the manager, 90 days → moved to the "Disabled" OU, 180 days → deleted with CSV log and entry in the audit file. Each manager notification includes a link to reactivate the account if it is still valid (employee on leave, suspended contract). The owner of the process is security and HR, which now share the same daily report. The visible output is the daily CSV with the next scheduled events and the auditable historical log. A regulated financial entity went from 132 orphaned accounts to 4 in a single sweep season and then to 0 sustained. The investment pays back in the first external audit cycle, typically 4 to 6 months.

Stack
Technologies we touch in the implementation
PowerShell 7ActiveDirectorySend-MailMessageTask Scheduler
Account lifecycle with staging and notice
#06 · Account lifecycle

FSM: active → disable → move OU → delete, with notifications

Technical references
Account lifecycle

I want to implement this

Let's talk 20 minutes about your environment and review scope, architecture and the work plan together. No commitment.