Deleting User Accounts

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

When you delete a user account from Active Directory, the entry for the user’s rights account certificate that is in the user key table of the root cluster’s configuration database is not automatically deleted. Because of this, the user key table can grow unbounded as new user keys are added, but old ones are not deleted.

To maintain the configuration database, you can create a stored procedure that deletes a user key by its security identifier (SID) each time that the associated user account is removed from Active Directory. Alternately, you can create and periodically run a script that deletes any user keys from the configuration database when their associated SIDs no longer exist in Active Directory. Note that doing this creates a large load on both SQL Server and Active Directory.