Disabling user account

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I would like to know how to diable an account when it is place into an OU I
can created? I would like to accomplish this via GPO. Does anyone have
any suggestion?
6 answers Last reply
More about disabling user account
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    "mani" <mani@idt.com> wrote in message
    news:#Fvpz$K2EHA.1452@TK2MSFTNGP11.phx.gbl...
    > I would like to know how to diable an account when it is place into an OU
    I
    > can created? I would like to accomplish this via GPO. Does anyone have
    > any suggestion?

    It (probably) doesn't really make sense to disable an
    account through a GPO.

    First, who or what would you link the GPO to? When,
    if ever, would it be applied?

    If now, why not just disable the account?

    When would it STOP being applied?

    What are you really trying to accomplish, other
    than disabling some specific account?


    --
    Herb Martin


    >
    >
  2. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    I have a script that I use to disable a user account, move it to a "disabled
    users OU" , deletes the home folder on whatever server it exists on, removes
    the terminal server home folder if it exists and replicates the change to the
    domain controller the user logs on to to make sure the account is disabled
    "out there" in their office immediatly, instead of when the normal
    replication would take place.

    I would do something similar in your case.
  3. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    "ylekiot1 Wyle E Coyote" <ylekiot1WyleECoyote@discussions.microsoft.com>
    wrote in message news:1168251A-6376-477C-BD58-11950A95CF90@microsoft.com...
    >
    > I have a script that I use to disable a user account, move it to a
    "disabled
    > users OU" , deletes the home folder on whatever server it exists on,
    removes
    > the terminal server home folder if it exists and replicates the change to
    the
    > domain controller the user logs on to to make sure the account is disabled
    > "out there" in their office immediatly, instead of when the normal
    > replication would take place.
    >
    > I would do something similar in your case.

    I would NOT include the DISABLE in the script or
    depend on the GPO in any way for the disable.

    Remember, the GPO will not apply to network connections
    that don't constitute a logon so a supposedly disabled user
    would still be able to make network only connections.

    The idea of the disabled GPO is not a bad one, but one of
    the steps should be to also manually disable the user's account.

    --
    Herb Martin
  4. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    circa Fri, 3 Dec 2004 15:12:28 -0600, in
    microsoft.public.win2000.active_directory, Herb Martin
    (news@LearnQuick.com) said,
    > "ylekiot1 Wyle E Coyote" <ylekiot1WyleECoyote@discussions.microsoft.com>
    > wrote in message news:1168251A-6376-477C-BD58-11950A95CF90@microsoft.com...
    > >
    > > I have a script that I use to disable a user account, move it to a
    > "disabled
    > > users OU" , deletes the home folder on whatever server it exists on,
    > removes
    > > the terminal server home folder if it exists and replicates the change to
    > the
    > > domain controller the user logs on to to make sure the account is disabled
    > > "out there" in their office immediatly, instead of when the normal
    > > replication would take place.
    > >
    > > I would do something similar in your case.
    >
    > I would NOT include the DISABLE in the script

    Why? It sounds like it is the entire purpose of this poster's script
    (and note that this is not the same person who posted the question
    originally).

    > or
    > depend on the GPO in any way for the disable.

    The person to whom you are responding does not do so, as far as I can
    tell.
    >
    > Remember, the GPO will not apply to network connections
    > that don't constitute a logon so a supposedly disabled user
    > would still be able to make network only connections.

    Huh?
    >
    > The idea of the disabled GPO is not a bad one, but one of
    > the steps should be to also manually disable the user's account.

    Huh?

    Am I missing something? The post to which you are responding doesn't
    say anything at all about using a GPO. It suggests scripting the
    disable, which is the same suggestion the original poster has been
    given in the other newsgroups where s/he posted the question. Did I
    miss a post somewhere?

    Thanks,

    Laura
    >
    >

    --
    Experience is the name every one gives to their mistakes.
    -Oscar Wilde
  5. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    --
    Herb Martin


    "Laura A. Robinson" <geekwench@snippit.hotmail.com> wrote in message
    news:MPG.1c1d5af78034630c98aecd@msnews.microsoft.com...

    > > > I have a script that I use to disable a user account, move it to a
    > > "disabled
    > > > users OU" , deletes the home folder on whatever server it exists on,
    > > removes
    > > > the terminal server home folder if it exists and replicates the change
    to
    > > the
    > > > domain controller the user logs on to to make sure the account is
    disabled
    > > > "out there" in their office immediatly, instead of when the normal
    > > > replication would take place.
    > > >
    > > > I would do something similar in your case.
    > > I would NOT include the DISABLE in the script
    >
    > Why? It sounds like it is the entire purpose of this poster's script
    > (and note that this is not the same person who posted the question
    > originally).

    The reasons were given in my previous message (2 back
    from me now in this thread.)

    > > Remember, the GPO will not apply to network connections
    > > that don't constitute a logon so a supposedly disabled user
    > > would still be able to make network only connections.
    >
    > Huh?

    Which part don't you understand?

    GPOs are not invoked for network authentications
    which are not part of a logon (at a machine or through
    terminal services.)

    So were one to depend on a GPO to apply the DISABLE
    then the account might remain Enabled far longer than
    desired.

    > > The idea of the disabled GPO is not a bad one, but one of
    > > the steps should be to also manually disable the user's account.
    >
    > Huh?
    >
    > Am I missing something?

    Probably.
  6. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    circa Sun, 5 Dec 2004 22:42:10 -0600, in
    microsoft.public.win2000.active_directory, Herb Martin
    (news@LearnQuick.com) said,
    >
    > > > > I have a script that I use to disable a user account, move it to a
    > > > "disabled
    > > > > users OU" , deletes the home folder on whatever server it exists on,
    > > > removes
    > > > > the terminal server home folder if it exists and replicates the change
    > to
    > > > the
    > > > > domain controller the user logs on to to make sure the account is
    > disabled
    > > > > "out there" in their office immediatly, instead of when the normal
    > > > > replication would take place.
    > > > >
    > > > > I would do something similar in your case.
    > > > I would NOT include the DISABLE in the script
    > >
    > > Why? It sounds like it is the entire purpose of this poster's script
    > > (and note that this is not the same person who posted the question
    > > originally).
    >
    > The reasons were given in my previous message (2 back
    > from me now in this thread.)

    And you're responding to a message that has nothing to do with that;
    the poster recommended a *script*.
    >
    > > > Remember, the GPO will not apply to network connections
    > > > that don't constitute a logon so a supposedly disabled user
    > > > would still be able to make network only connections.
    > >
    > > Huh?
    >
    > Which part don't you understand?

    The part where you discuss GPOs with somebody who recommended a
    scripting solution.
    >
    > GPOs are not invoked for network authentications
    > which are not part of a logon (at a machine or through
    > terminal services.)
    >
    > So were one to depend on a GPO to apply the DISABLE
    > then the account might remain Enabled far longer than
    > desired.
    >
    > > > The idea of the disabled GPO is not a bad one, but one of
    > > > the steps should be to also manually disable the user's account.
    > >
    > > Huh?
    > >
    > > Am I missing something?
    >
    > Probably.
    >
    Actually, I think you are, but I was being polite.

    Laura

    --
    There's a great power in words, if you don't hitch too many of them
    together.
    -Josh Billings
Ask a new question

Read More

Microsoft Active Directory Windows