In my company we cannot just delete user accounts due to regulatory restrictions. While I can export the user information via LDIF, I cannot restore the most critical information, like group memberships and SID. I have tried using the AD migration tool to move disabled IDs to a different domain, but that has restrictions and quirks as well. Our Win2k AD tombstones objects in 60 days, which is not a long enough period to keep IDs should I need to restore them. Any ideas?
Interesting issue... I could see why using LDIF or moving the accounts to another domain may cause issues, primarily issues with the SID and maintaining that SID through the transitions. ADMT might assist in the move from the Domains, but will still leverage a SID-history mechanism that could lead to issues. An interesting possibility is to move the disabled accounts to an OU. Create a highly restrictive GPO and apply it specifically to the OU. Use a group like, disabled_accounts, and specifically deny network logons, deny logon locally, deny logon as a service, deny logon as a batch job. When you need to prevent a user from access resources you add them to this restrictive group and OU. The group policy is applied and they are prevented from getting to any resource in the organization. Since the account is not deleted or disabled, it will be retained as long as you need it. Keep in mind that I have not tried this myself and I would strongly suggest setting up a testing AD in an isolated lab to make sure that it is working appropriately (preventing the people you don't want and not affecting the remaining population). The last thing you want to do is cripple the entire organization with a GPO.
Additional Expert Help: Be sure to check our Answer FAQ for more expert advice. For faster answers, visit ITKnowledge...