“What are the differences between the following accounts
1. Disabled Account
2. Expired Account
3. Locked Account (due to account lockout)
If all the accounts acts in a same way, why they are stored differently in active directory?”
Strictly speaking, they’re not all handled the same way and there are some benefits to the uniqueness of each.
This is a controlled process that offers value where companies have invested in things like a provisioning process that automatically governs the enabled or disabled status of the accounts, or even where an automated process doesn’t apply, such as a guest user or vendor engagement that has no pre-defined expiry date.
Another use is where you wish to disable some accounts for a grace period – in case someone really did still need it, before finally deleting them, as it’s obviously much easier to re-enable an account than recover it (recovery bin aside – that has made things ridiculously easy!).
The real value around accounts being disabled is when the locking process is “tripped” automatically. If there were no such process then people could repeatedly attempt to compromise an account and we’d all be a lot busier trying to manually monitor the event logs (or SCOM or whatever your tool of choice is) for potential breaches and having to disable accounts manually based on that.
Again, the utility here is that you can set an account expiry time and forget about it – literally. In fact, that’s the whole beauty of it: if you forget to come back and manually disable the account, you’re at least still ensuring that the account can’t be used. This is an excellent mechanic for managing contract providers where there’s typically a pre-arranged ending date for the contract itself.
It also ties in neatly with the account provisioning process – if you have invested in such technology.
So, while they all result in the same high level end result of the user not being able to log on, how they arrive at this point is different and through being able to audit that difference, informative.
You obviously don’t have to use all three, but they certainly differ enough mechanically that each brings something useful to IT operations.