20.45 Ensure 'Outdated or unused accounts are removed or disabled'


This policy setting ensures that all outdated or unused accounts are removed or disabled.

The recommended STIG state for this setting is: 35 days or older


Outdated or unused accounts provide penetration points that may go undetected. Inactive accounts must be deleted if no longer necessary or, if still required, disabled until needed.


Outdated or unused accounts that are older than 35 days will be deleted or disabled.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.


Regularly review accounts to determine if they are still active. Remove or disable accounts that have not been used in the last 35 days.

Default Value:


Additional Information:

Microsoft Windows Server 2016 Security Technical Implementation Guide:

Version 2, Release 2, Benchmark Date: May 04, 2021

Vul ID: V-224837

Rule ID: SV-224837r569186_rule

STIG ID: WN16-00-000210

Severity: CAT II

See Also