If you have read much about NT administration, you have know this advice but if you don't it can save a lot of hassle. User jblow leaves his position. You delete that account. A few days later you notification that jblow is returning to his old position or a similar position that requires the same access. You use User Manager for Domains to recreate jblow's account. Unfortunately jblow can't seem to access anything. Why not?

Access is controlled by the account's SID. The account name has nothing to do with it. You can avoid the situation if you disable the account rather than deleting it. When you delete an account, the SID is removed. When you create a replacement, the SIDs do not match and thus no access. If the account is disabled, when the user returns to his/her old job, simply re-enable the account.

This approach may not work for organizations will a very large number of accounts. Each account takes a small amount of space in the SAM which is limited to a maximum size (probably 40MB or so). Within an NT domain, the maximum number of objects is limited to a maximum of tens of thousands. To get beyond this limitation, one must consider Windows 2000's Active Directory which has a theoretical limitation of 4 billion objects.

title says it all