During a DIRT restore recently, there were approximately 20 unity accounts which we determined were still in Unity even though the employess had left the company. (the security team had deleted the AD/exchange accounts when these people left the company but they did not delete them from Unity).
The restore process (the unitydirsvc to be exact) has recreated these 20 active directory accounts in the Unity OU. This has raised alot of flags with the security team as Unity is not supposed to be able to create AD accounts, only to import existing user accounts from AD.
I realize the unitydirsvc has the permissions to actually do this, but should this be happening? We are now under security audit due to this issue and need to give the security team an explanation as to why this happened.
My question is : if we have configured Unity only to import existing accounts during the PW configuration, should it be able to recreate these deleted AD accounts? Or is this going to continue to happen everytime a unity account deletion is missed and a restore/resync is performed..?