You have an enterprise subordinate certification authority (CA). The CA issues smart card
logon certificates.
Users are required to log on to the domain by using a smart card.
Your company’s corporate security policy states that when an employee resigns, his ability
to log on to the network must be immediately revoked.
An employee resigns.
You need to immediately prevent the employee from logging on to the domain.
What should you do?

A.
Revoke the employee’s smart card certificate.

B.
Disable the employee’s Active Directory account.

C.
Publish a new delta certificate revocation list (CRL).

D.
Reset the password for the employee’s Active Directory account.

Explanation:
http://blog.imanami.com/blog/bid/68864/Delete-or-disable-an-Active-Directory-account-Onebest-practice
Delete or disable an Active Directory account? One best practice.
I was recently talking to a customer about the best practice for deprovisioning a terminated
employee in Active Directory. Delete or disable? Microsoft doesn’t give the clearest direction
on this but common sense does.
The case for deleting an account is that, BOOM, no more access. No ifs ands or buts, if
there is no account it cannot do anything. The case for disabling an account is that all of the
SIDs are still attached to the account and you can bring it back and get the same access
right away.
And then the reason for MSFT’s lack of direction came into play. Individual needs of the
customer. This particular customer is a public school system and they often lay off an
employee and have to re-hire them the next month or semester. They need that account
back.