20.44 Ensure 'Outdated or unused accounts are removed or disabled'


This policy setting ensures that all outdated or unused accounts are removed or disabled.

The recommended STIG state for this setting is: 35 days or older


Outdated or unused accounts provide penetration points that may go undetected. Inactive accounts must be deleted if no longer necessary or, if still required, disabled until needed.


Outdated or unused accounts that are older than 35 days will be deleted or disabled.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.


Regularly review accounts to determine if they are still active. Remove or disable accounts that have not been used in the last 35 days.

Default Value:


Additional Information:

Microsoft Windows Server 2019 Security Technical Implementation Guide:
Version 2, Release 1, Benchmark Date: November 13, 2020

Vul ID: V-205707
Rule ID: SV-205707r569188_rule
STIG ID: WN19-00-000190
Severity: CAT II

See Also