Is there a risk of not deleting unused Windows logins that have been disabled in AD or is it simply a housekeeping issue?
e.g. Windows authentication is used to provide database access. A user leaves the organisation. Their Active Directory account is disabled, but their SQL login remains.
Best Answer
The simplest scenario is to avoid managing individual AD accounts in SQL Server whenever possible. The most common solution is to use AD groups and provide the groups access to the correct SQL server database. Then when people join or leave the AD administrators control what their rights are within AD. This does assume that the AD team has a well defined process for managing accounts. This was the solution suggested in the comment by @swasheck. I just thought it deserved to be an answer.