Disabling user account

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"mani" <mani@idt.com> wrote in message
news:#Fvpz$K2EHA.1452@TK2MSFTNGP11.phx.gbl...
> I would like to know how to diable an account when it is place into an OU
I
> can created? I would like to accomplish this via GPO. Does anyone have
> any suggestion?

It (probably) doesn't really make sense to disable an
account through a GPO.

First, who or what would you link the GPO to? When,
if ever, would it be applied?

If now, why not just disable the account?

When would it STOP being applied?

What are you really trying to accomplish, other
than disabling some specific account?


--
Herb Martin


>
>

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I have a script that I use to disable a user account, move it to a "disabled
users OU" , deletes the home folder on whatever server it exists on, removes
the terminal server home folder if it exists and replicates the change to the
domain controller the user logs on to to make sure the account is disabled
"out there" in their office immediatly, instead of when the normal
replication would take place.

I would do something similar in your case.

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"ylekiot1 Wyle E Coyote" <ylekiot1WyleECoyote@discussions.microsoft.com>
wrote in message news:1168251A-6376-477C-BD58-11950A95CF90@microsoft.com...
>
> I have a script that I use to disable a user account, move it to a
"disabled
> users OU" , deletes the home folder on whatever server it exists on,
removes
> the terminal server home folder if it exists and replicates the change to
the
> domain controller the user logs on to to make sure the account is disabled
> "out there" in their office immediatly, instead of when the normal
> replication would take place.
>
> I would do something similar in your case.

I would NOT include the DISABLE in the script or
depend on the GPO in any way for the disable.

Remember, the GPO will not apply to network connections
that don't constitute a logon so a supposedly disabled user
would still be able to make network only connections.

The idea of the disabled GPO is not a bad one, but one of
the steps should be to also manually disable the user's account.

--
Herb Martin

Archived from groups: microsoft.public.win2000.active_directory (More info?)

circa Fri, 3 Dec 2004 15:12:28 -0600, in
microsoft.public.win2000.active_directory, Herb Martin
(news@LearnQuick.com) said,
> "ylekiot1 Wyle E Coyote" <ylekiot1WyleECoyote@discussions.microsoft.com>
> wrote in message news:1168251A-6376-477C-BD58-11950A95CF90@microsoft.com...
> >
> > I have a script that I use to disable a user account, move it to a
> "disabled
> > users OU" , deletes the home folder on whatever server it exists on,
> removes
> > the terminal server home folder if it exists and replicates the change to
> the
> > domain controller the user logs on to to make sure the account is disabled
> > "out there" in their office immediatly, instead of when the normal
> > replication would take place.
> >
> > I would do something similar in your case.
>
> I would NOT include the DISABLE in the script

Why? It sounds like it is the entire purpose of this poster's script
(and note that this is not the same person who posted the question
originally).

> or
> depend on the GPO in any way for the disable.

The person to whom you are responding does not do so, as far as I can
tell.
>
> Remember, the GPO will not apply to network connections
> that don't constitute a logon so a supposedly disabled user
> would still be able to make network only connections.

Huh?
>
> The idea of the disabled GPO is not a bad one, but one of
> the steps should be to also manually disable the user's account.

Huh?

Am I missing something? The post to which you are responding doesn't
say anything at all about using a GPO. It suggests scripting the
disable, which is the same suggestion the original poster has been
given in the other newsgroups where s/he posted the question. Did I
miss a post somewhere?

Thanks,

Laura
>
>

--
Experience is the name every one gives to their mistakes.
-Oscar Wilde

Archived from groups: microsoft.public.win2000.active_directory (More info?)

--
Herb Martin


"Laura A. Robinson" <geekwench@snippit.hotmail.com> wrote in message
news:MPG.1c1d5af78034630c98aecd@msnews.microsoft.com...

> > > I have a script that I use to disable a user account, move it to a
> > "disabled
> > > users OU" , deletes the home folder on whatever server it exists on,
> > removes
> > > the terminal server home folder if it exists and replicates the change
to
> > the
> > > domain controller the user logs on to to make sure the account is
disabled
> > > "out there" in their office immediatly, instead of when the normal
> > > replication would take place.
> > >
> > > I would do something similar in your case.
> > I would NOT include the DISABLE in the script
>
> Why? It sounds like it is the entire purpose of this poster's script
> (and note that this is not the same person who posted the question
> originally).

The reasons were given in my previous message (2 back
from me now in this thread.)

> > Remember, the GPO will not apply to network connections
> > that don't constitute a logon so a supposedly disabled user
> > would still be able to make network only connections.
>
> Huh?

Which part don't you understand?

GPOs are not invoked for network authentications
which are not part of a logon (at a machine or through
terminal services.)

So were one to depend on a GPO to apply the DISABLE
then the account might remain Enabled far longer than
desired.

> > The idea of the disabled GPO is not a bad one, but one of
> > the steps should be to also manually disable the user's account.
>
> Huh?
>
> Am I missing something?

Probably.

Archived from groups: microsoft.public.win2000.active_directory (More info?)

circa Sun, 5 Dec 2004 22:42:10 -0600, in
microsoft.public.win2000.active_directory, Herb Martin
(news@LearnQuick.com) said,
>
> > > > I have a script that I use to disable a user account, move it to a
> > > "disabled
> > > > users OU" , deletes the home folder on whatever server it exists on,
> > > removes
> > > > the terminal server home folder if it exists and replicates the change
> to
> > > the
> > > > domain controller the user logs on to to make sure the account is
> disabled
> > > > "out there" in their office immediatly, instead of when the normal
> > > > replication would take place.
> > > >
> > > > I would do something similar in your case.
> > > I would NOT include the DISABLE in the script
> >
> > Why? It sounds like it is the entire purpose of this poster's script
> > (and note that this is not the same person who posted the question
> > originally).
>
> The reasons were given in my previous message (2 back
> from me now in this thread.)

And you're responding to a message that has nothing to do with that;
the poster recommended a *script*.
>
> > > Remember, the GPO will not apply to network connections
> > > that don't constitute a logon so a supposedly disabled user
> > > would still be able to make network only connections.
> >
> > Huh?
>
> Which part don't you understand?

The part where you discuss GPOs with somebody who recommended a
scripting solution.
>
> GPOs are not invoked for network authentications
> which are not part of a logon (at a machine or through
> terminal services.)
>
> So were one to depend on a GPO to apply the DISABLE
> then the account might remain Enabled far longer than
> desired.
>
> > > The idea of the disabled GPO is not a bad one, but one of
> > > the steps should be to also manually disable the user's account.
> >
> > Huh?
> >
> > Am I missing something?
>
> Probably.
>
Actually, I think you are, but I was being polite.

Laura

--
There's a great power in words, if you don't hitch too many of them
together.
-Josh Billings