Recipe 6.12 Enabling and Disabling a User

6.12.1 Problem

You want to enable or disable a user.

6.12.2 Solution

6.12.2.1 Using a graphical user interface

6.12.2.2 Using a command-line interface

To enable a user, use the following command:

> dsmod user <UserDN> -disabled no

To disable a user, use the following command:

> dsmod user <UserDN> -disabled yes

6.12.2.3 Using VBScript

' This code will enable or disable a user. ' ------ SCRIPT CONFIGURATION ------ ' Set to FALSE to disable account or TRUE to enable account strDisableAccount = FALSE   strUserDN = "<UserDN>" ' e.g. cn=jsmith,cn=Users,dc=rallencorp,dc=com ' ------ END CONFIGURATION --------- set objUser = GetObject("LDAP://" & strUserDN) if objUser.AccountDisabled = TRUE then    WScript.Echo "Account for " & objUser.Get("cn") & " currently disabled"    if strDisableAccount = FALSE then       objUser.AccountDisabled = strDisableAccount       objUser.SetInfo       WScript.Echo "Account enabled"    end if else    WScript.Echo "Account currently enabled"    if strDisableAccount = TRUE then       objUser.AccountDisabled = strDisableAccount       objUser.SetInfo       WScript.Echo "Account disabled"    end if end if

6.12.3 Discussion

Account status is used to control if a user is allowed to log on or not. When an account is disabled, the user is not allowed to log on to her workstation with the account or access AD controlled resources. Much like the lockout status, the account status is stored as a flag in the userAccountControl attribute (see Recipe 6.24).

There is an IADsUser::AccountDisabled property that allows you to determine and change the status. Set the method FALSE to enable the account or TRUE to disable.

6.12.4 See Also

Recipe 6.13 for finding disabled users, and Recipe 6.24 for more on the userAccountControl attribute