Cyber Essentials
DashboardSign Out

Lesson 5.2 — Unnecessary accounts: guest accounts, old users, local admins and supplier access

This lesson helps the learner identify and remove or disable unnecessary user accounts across devices, servers, cloud services and network equipment.

What You'll Be Able to Do

By the end of this lesson, you will be able to:

  • identify unnecessary user accounts
  • including guest accounts
  • unused local accounts
  • old staff accounts
  • old supplier accounts
  • test accounts and unused administrator accounts

Why This Matters

It explains how unnecessary accounts create avoidable risk, how this requirement differs from the wider user access control module, and how to create a practical account clean-up record before submission.

The most common problems are:

  • checking only Microsoft 365 and ignoring other systems;
  • removing central accounts but forgetting SaaS accounts;
  • forgetting local accounts on devices;
  • forgetting old IT provider accounts;

The Core Rule

Cyber Essentials expects organisations to regularly remove or disable unnecessary user accounts.

This includes guest accounts, unused local accounts, old staff accounts, old supplier accounts, test accounts, setup accounts, default vendor accounts and administrative accounts that will not be used.

What the CE Assessor Looks For

A strong position shows:

  • guest accounts are disabled unless specifically justified;
  • old staff accounts are removed or disabled;
  • old contractor and supplier accounts are removed;
  • unused administrator accounts are removed or disabled;
  • local accounts are reviewed;
  • default vendor accounts are removed, disabled or controlled;

Common Mistakes

  • checking only Microsoft 365 and ignoring other systems;
  • removing central accounts but forgetting SaaS accounts;
  • forgetting local accounts on devices;
  • forgetting old IT provider accounts;
  • forgetting guest accounts;
  • forgetting test and setup accounts;

Copy This

Keep this rule visible:

If an account is active, it needs a current owner and a current reason.

Quick Checklist

Before moving on, make sure you can say yes to these:

  • [ ] What does Cyber Essentials expect organisations to do with unnecessary user accounts?
  • [ ] Why are unnecessary accounts risky?
  • [ ] What are the three main outcomes for an unnecessary or unclear account?
  • [ ] Are guest accounts usually acceptable if nobody knows why they are enabled?
  • [ ] Why should local accounts be reviewed separately from central cloud accounts?

Your Action

Do this now — it takes 10–20 minutes.

Run a check for guest accounts, old user accounts, and unused local admin accounts on your main device types. Record findings in Section SC.

Key Takeaway

If an account is active, it needs a current owner and a current reason.

Your Workbook Activity

Complete: Unnecessary account review and clean-up record

Next Lesson

In the next lesson: Default and guessable passwords: changing unsafe credentials without storing secrets

Up next

Default and guessable passwords

Eliminate default and guessable passwords by enforcing stronger credential standards and controls.