Most organizations have procedures in place for removing user accounts that are no longer required. If these procedures are not followed in every instance, then some accounts may remain active for months or years after the account owner has left the organization. Unused accounts are undesirable because they:
1. Provide a means of unauthorized access - People that have left the organization should not have access to network resources, especially any employee or contractor that has left in dispute or moved to a competitor.
2. Are prime targets for brute-force attacks - Password expiration policies have no effect on unused accounts. This gives a cracker enough time to complete a brute-force attack on a previously captured password hash.
3. Can increase license costs - Depending on the licensing model, unused accounts may mean unused software licenses. This can lead to substantial cost increases, especially if server licensing information is used to calculate application license requirements.
