Disable User Security Group Access in Active Directory
When a user is disabled, they lose access to all security groups.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Feb 2023
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
When a user account is disabled, it is removed from all security group memberships.
Source: ASD Information Security Manual (ISM)
Plain language
Disabling a user's account in Active Directory means they will automatically lose access to all the security groups they were part of. This is important because leaving their access active, even when they no longer work for the organisation, can be a security risk, such as unauthorised access to sensitive information.
Why it matters
Inactive user accounts retaining AD security group memberships can enable unauthorised access to systems and data, increasing breach risk.
Operational notes
When disabling a user in Active Directory, confirm they are removed from all security groups and regularly audit disabled accounts for lingering memberships.
Implementation tips
- The IT team should ensure they have a clear process for disabling user accounts. This involves quickly removing access for users who have left the organisation by updating the user's status in Active Directory.
- HR should notify IT as soon as an employee leaves the organisation. They can do this by sending an exit notice which includes the departure date, ensuring that the IT team disables the account promptly.
- System owners should review security group memberships to confirm no disabled accounts remain. They can accomplish this by generating regular reports from Active Directory that show current group memberships and comparing them with active employee lists.
- Managers should be made aware of the importance of reporting staff changes. They can facilitate this by including an agenda item in regular team meetings to discuss upcoming departures.
- The IT team should regularly audit user accounts to identify any discrepancies. This involves a routine check to ensure accounts marked as disabled do not retain access to any groups, potentially using Active Directory audit tools.
Audit / evidence tips
-
Ask: the list of disabled accounts: Request a report from the IT team showing all user accounts currently marked as disabled
Good: is that all listed disabled accounts have corresponding departure dates and no active group memberships
-
Ask: HR for records of all exit notices sent to IT in a given period
Good: is timestamped notifications with matching records in the IT system for account disabling
-
Ask: to see a sample security group membership report: Obtain a copy of a report from the IT team enumerating security group members
Good: shows no disabled user accounts in listed groups
-
Ask: about the process for account disabling: Request written procedures that outline how accounts are to be disabled
Good: includes a documented process with roles clearly defined and steps detailed
-
Ask: the training records on account management: Ensure staff are trained on the importance of user account security
Good: includes recent training sessions with key HR and IT personnel listed
Cross-framework mappings
How ISM-1845 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (2) | ||
| Annex A 5.16 | ISM-1845 requires that when an Active Directory user account is disabled, it is removed from all security group memberships, eliminating ... | |
| Annex A 5.18 | ISM-1845 mandates automatic removal of security group memberships when a user account is disabled to ensure access rights are promptly re... | |