6.12.1 ProblemYou want to enable or disable a user. 6.12.2 Solution6.12.2.1 Using a graphical user interface
6.12.2.2 Using a command-line interfaceTo enable a user, use the following command: > dsmod user <UserDN> -disabled no To disable a user, use the following command: > dsmod user <UserDN> -disabled yes 6.12.2.3 Using VBScript' This code will enable or disable a user. ' ------ SCRIPT CONFIGURATION ------ ' Set to FALSE to disable account or TRUE to enable account strDisableAccount = FALSE strUserDN = "<UserDN>" ' e.g. cn=jsmith,cn=Users,dc=rallencorp,dc=com ' ------ END CONFIGURATION --------- set objUser = GetObject("LDAP://" & strUserDN) if objUser.AccountDisabled = TRUE then WScript.Echo "Account for " & objUser.Get("cn") & " currently disabled" if strDisableAccount = FALSE then objUser.AccountDisabled = strDisableAccount objUser.SetInfo WScript.Echo "Account enabled" end if else WScript.Echo "Account currently enabled" if strDisableAccount = TRUE then objUser.AccountDisabled = strDisableAccount objUser.SetInfo WScript.Echo "Account disabled" end if end if 6.12.3 DiscussionAccount status is used to control if a user is allowed to log on or not. When an account is disabled, the user is not allowed to log on to her workstation with the account or access AD controlled resources. Much like the lockout status, the account status is stored as a flag in the userAccountControl attribute (see Recipe 6.24). There is an IADsUser::AccountDisabled property that allows you to determine and change the status. Set the method FALSE to enable the account or TRUE to disable. 6.12.4 See AlsoRecipe 6.13 for finding disabled users, and Recipe 6.24 for more on the userAccountControl attribute |