|
Interesting issue... I could see why using LDIF or moving the accounts to another domain may cause issues, primarily issues with the SID and maintaining that SID through the transitions. ADMT might assist in the move from the Domains, but will still leverage a SID-history mechanism that could lead to issues. An interesting possibility is to move the disabled accounts to an OU. Create a highly restrictive GPO and apply it specifically to the OU. Use a group like, disabled_accounts, and specifically deny network logons, deny logon locally, deny logon as a service, deny logon as a batch job. When you need to prevent a user from access resources you add them to this restrictive group and OU. The group policy is applied and they are prevented from getting to any resource in the organization. Since the account is not deleted or disabled, it will be retained as long as you need it. Keep in mind that I have not tried this myself and I would strongly suggest setting up a testing AD in an isolated lab to make sure that it is working appropriately (preventing the people you don't want and not affecting the remaining population). The last thing you want to do is cripple the entire organization with a GPO.
Additional Expert Help:
Be sure to check our Answer FAQ for more expert advice.
For faster answers, visit ITKnowledge Exchange.
|
