Recipe16.7.Enabling and Disabling a User Account

Recipe 16.7. Enabling and Disabling a User Account

Problem

You want to enable or disable a user.

Solution

Using a graphical user interface

Open the ADUC snap-in.
In the left pane, right-click on the domain and select Find.
Select the appropriate domain beside In.
Type the name of the user beside Name and click Find Now.
In the Search Results, right-click on the user and select Enable Account or Disable Account.
Click OK.

Using a command-line interface

To enable a user, use the following command:

> dsmod user <UserDN> -disabled no

To disable a user, use the following command:

> dsmod user <UserDN> -disabled yes

Using VBScript

' This code will enable or disable a user. ' ------ SCRIPT CONFIGURATION ------ ' Set to FALSE to disable account or TRUE to enable account strDisableAccount = FALSE   strUserDN = "<UserDN>" ' e.g., cn=jsmith,cn=Users,dc=rallencorp,dc=com ' ------ END CONFIGURATION --------- set objUser = GetObject("LDAP://" & strUserDN) if objUser.AccountDisabled = TRUE then    WScript.Echo "Account for " & objUser.Get("cn") & " currently disabled"    if strDisableAccount = FALSE then       objUser.AccountDisabled = strDisableAccount       objUser.SetInfo       WScript.Echo "Account enabled"    end if else    WScript.Echo "Account currently enabled"    if strDisableAccount = TRUE then       objUser.AccountDisabled = strDisableAccount       objUser.SetInfo       WScript.Echo "Account disabled"    end if end if

Discussion

Account status is used to control whether a user is allowed to log on. When an account is disabled, the user is not allowed to log on to her workstation with the account or access Active Directory-controlled resources. Much like the lockout status, the account status is stored as a flag in the userAccountControl attribute (see Recipe 16.9).

There is an IADsUser::AccountDisabled property that allows you to determine and change the status. Set the method FALSE to enable the account or TRUE to disable.