hi
auditors mostly recommends to administrators to remove dormant accounts that have not logged in for many months. Can i ask the experts here, if these accounts are disabled and dormant at the same time, any ways to use them to break anything? I ask this because if there is no way to break, then we could leave these disabled & dormant accounts as they are. Right?

another qns, If these accounts are configured to be locked after say, 5 tries unsuccessful, and someone tries to break in using an account and gets the account gets locked out, can he/she try other means? what are some other means then? If not, configuring "lock outs" in security policies is a good way to deter brute force right ?

thanks for any advice.