Disable User Security Group Access in Active Directory
When a user is disabled, they lose access to all security groups.
Plain language
Disabling a user's account in Active Directory means they will automatically lose access to all the security groups they were part of. This is important because leaving their access active, even when they no longer work for the organisation, can be a security risk, such as unauthorised access to sensitive information.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Server application hardeningOfficial control statement
When a user account is disabled, it is removed from all security group memberships.
Why it matters
Inactive user accounts retaining AD security group memberships can enable unauthorised access to systems and data, increasing breach risk.
Operational notes
When disabling a user in Active Directory, confirm they are removed from all security groups and regularly audit disabled accounts for lingering memberships.
Implementation tips
- The IT team should ensure they have a clear process for disabling user accounts. This involves quickly removing access for users who have left the organisation by updating the user's status in Active Directory.
- HR should notify IT as soon as an employee leaves the organisation. They can do this by sending an exit notice which includes the departure date, ensuring that the IT team disables the account promptly.
- System owners should review security group memberships to confirm no disabled accounts remain. They can accomplish this by generating regular reports from Active Directory that show current group memberships and comparing them with active employee lists.
- Managers should be made aware of the importance of reporting staff changes. They can facilitate this by including an agenda item in regular team meetings to discuss upcoming departures.
- The IT team should regularly audit user accounts to identify any discrepancies. This involves a routine check to ensure accounts marked as disabled do not retain access to any groups, potentially using Active Directory audit tools.
Audit / evidence tips
-
Askthe list of disabled accounts: Request a report from the IT team showing all user accounts currently marked as disabled
Goodis that all listed disabled accounts have corresponding departure dates and no active group memberships
-
AskHR for records of all exit notices sent to IT in a given period
Goodis timestamped notifications with matching records in the IT system for account disabling
-
Askto see a sample security group membership report: Obtain a copy of a report from the IT team enumerating security group members
Goodshows no disabled user accounts in listed groups
-
Askabout the process for account disabling: Request written procedures that outline how accounts are to be disabled
Goodincludes a documented process with roles clearly defined and steps detailed
-
Askthe training records on account management: Ensure staff are trained on the importance of user account security
Goodincludes recent training sessions with key HR and IT personnel listed
Cross-framework mappings
How ISM-1845 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.18 | ISM-1845 mandates automatic removal of security group memberships when a user account is disabled to ensure access rights are promptly re... | |
| handshake Supports (1) expand_less | ||
| Annex A 8.4 | Annex A 8.4 requires that access to source code and development tools is appropriately managed, including timely removal of access when n... | |
| link Related (1) expand_less | ||
| Annex A 5.16 | Annex A 5.16 requires organisations to manage identities through to deactivation, ensuring access paths are removed when an account is di... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.