Most organizations implement a disable-then-delete workflow for departed employees' AD accounts, and there are solid technical reasons for this practice. When you disable an account first, you maintain the security principal's SID (Security Identifier) while preventing authentication attempts. This is crucial because:

# PowerShell example to disable account while preserving attributes
Disable-ADAccount -Identity "jdoe"
Get-ADUser jdoe -Properties * | Export-Clixml "\\archive\ADBackups\jdoe_$(Get-Date -Format yyyyMMdd).xml"

The quarterly deletion cycle serves multiple purposes:

• Access Auditing: The disabled account remains available for security audits of historical access
• Resource Ownership: Many systems might still reference the account via SID for permissions
• Legal Holds: Compliance requirements may mandate account preservation for investigations

Deleting accounts immediately after mailbox export can cause:

# Potential impact on systems referencing the account
$DeletedSID = (Get-ADUser jdoe -Properties *).SID
Get-ChildItem "\\fileserver\department\" -Recurse | 
    Where-Object { $_.GetAccessControl().Owner -eq $DeletedSID }
# Result: Orphaned permissions that are harder to trace

For optimal balance between security and maintainability:

1. Disable account immediately upon departure
2. Run this cleanup script after 30-90 days:

# Automated cleanup script example
$CutoffDate = (Get-Date).AddDays(-90)
$StaleAccounts = Search-ADAccount -AccountDisabled -UsersOnly | 
    Where-Object { $_.WhenChanged -lt $CutoffDate }

$StaleAccounts | ForEach-Object {
    # Backup critical attributes first
    $_ | Export-Clixml "\\archive\ADCleanup\$($_.SamAccountName)_backup.xml"
    
    # Remove from all groups
    Get-ADPrincipalGroupMembership $_ | 
        Remove-ADGroupMember -Members $_ -Confirm:$false
    
    # Delete account
    Remove-ADUser -Identity $_ -Confirm:$false
}

When dealing with Exchange mailboxes:

# Proper mailbox export before deletion
New-MailboxExportRequest -Mailbox jdoe -FilePath "\\archive\Exports\jdoe.pst"
# Wait for completion, then:
Disable-Mailbox -Identity jdoe -Confirm:$false

In Active Directory management, the choice between immediate deletion and temporary disabling of departed employee accounts involves multiple technical considerations:

• Access audit trails preservation
• Resource ownership tracking
• Compliance requirements
• Cleanup automation impact

The standard practice of disabling accounts before eventual deletion serves several purposes:

# Example PowerShell to disable account and export mailbox
Disable-ADAccount -Identity "username"
$mailboxStats = Export-Mailbox -Identity "username" -PSTFolderPath "\\archive\username.pst"
Set-Mailbox -Identity "username" -HiddenFromAddressListsEnabled $true

The quarterly cleanup cycle (rather than immediate deletion) helps with:

1. Identifying dependencies (shared calendars, distribution groups)
2. Allowing for departmental reviews of access needs
3. Maintaining SID references during transition periods

Consider this automated cleanup approach for high-turnover scenarios:

# Automated cleanup script (run after compliance review)
$departingUsers = Import-Csv "terminations.csv"
foreach ($user in $departingUsers) {
    # Verify mailbox export completion
    if ((Get-MailboxExportRequest -Identity $user.Username).Status -eq "Completed") {
        Remove-Mailbox -Identity $user.Username -Confirm:$false
        Remove-ADUser -Identity $user.Username -Confirm:$false
        Write-Log "Deleted $($user.Username) and associated mailbox"
    }
}

For most enterprises, we recommend:

• Immediate disable (security)
• 60-90 day retention period (compliance)
• Scheduled automated deletion (cleanliness)

# Scheduled task to process stale disabled accounts
Get-ADUser -Filter {Enabled -eq $false} -Properties LastLogonDate |
Where-Object {$_.LastLogonDate -lt (Get-Date).AddDays(-90)} |
ForEach-Object {
    # Archive and remove process
    Process-AccountDeletion -User $_
}