Home » Microsoft » 70-640 » What should you do?
You have an enterprise subordinate certification authority (CA). The CA issues smart card logon certificates.
Users are required to log on to the domain by using a smart card.
Your company’s corporate security policy states that when an employee resigns, his ability to log on to the network must be immediately revoked.
An employee resigns.
You need to immediately prevent the employee from logging on to the domain.
What should you do?
A. Revoke the employee’s smart card certificate.
B. Disable the employee’s Active Directory account.
C. Publish a new delta certificate revocation list (CRL).
D. Reset the password for the employee’s Active Directory account.
Correct Answer: B
Explanation/Reference:
http://blog.imanami.com/blog/bid/68864/Delete-or-disable-an-Active-Directory-account-One-best-practice
Delete or disable an Active Directory account? One best practice.
I was recently talking to a customer about the best practice for deprovisioning a terminated employee in Active Directory. Delete or disable? Microsoft doesn’t give the clearest direction on this but common sense does.
The case for deleting an account is that, BOOM, no more access. No ifs ands or buts, if there is no account it cannot do anything. The case for disabling an account is that all of the SIDs are still attached to the account and you can bring it back and get the same access right away.
..
And then the reason for MSFT’s lack of direction came into play. Individual needs of the customer. This particular customer is a public school system and they often lay off an employee and have to re-hire them the next month or semester. They need that account back.
…