Why Disabled Accounts in Active Directory Are a Security Risk You Can’t Ignore
When an employee leaves or a service account is retired, the easy move is to just disable the account and move on. But disabled accounts are often overlooked during security reviews, and that neglect can create serious gaps in your environment. Attackers know this — disabled doesn’t mean unreachable, especially if the account still exists in Active Directory with its original group memberships and permissions intact. A compromised disabled account with Domain Admin group membership is just as dangerous as an active one.
The real problem is that disabled accounts accumulate over time, and most IT teams don’t have a reliable process to audit them regularly. When you’re focused on active threats, it’s easy to forget that a stale account with overly permissive group membership is a ticking clock. The fix is straightforward: schedule regular reviews of disabled accounts, strip unnecessary group memberships as part of the disable process, and treat disabled accounts with the same rigor as active ones when it comes to sensitive group membership.
A practical starting point is running a PowerShell query to pull all disabled accounts and their group memberships at once, then cross-referencing against your most sensitive groups like Enterprise Admins and Domain Admins. This takes an hour or two to set up and can surface accounts that have been sitting with elevated permissions long after they should have been cleaned up. The goal is simple: disabled accounts should have zero access to anything critical.
PowerShell Sample script:
$DisabledUsers = Get-ADUser -Filter {Enabled -eq $false} -Properties MemberOfforeach ($User in $DisabledUsers) { Write-Host “Username: $($User.Name)” foreach ($Group in $User.MemberOf) { Write-Host “Group: $Group” }}}
