
	Home > Windows Tips > > Disabling user accounts? Apply behavior modification

Win IT Tips:

EMAIL THIS

TIPS & NEWSLETTERS TOPICS

Disabling user accounts? Apply behavior modification

Serdar Yegulalp
11.19.2003
Rating: -4.20- (out of 5)

Digg This!

StumbleUpon

Del.icio.us

When you disable a user account in Active Directory and you have more than one domain controller, the disabling only takes place immediately on that particular user's domain controller. The other domain controllers will reflect the disabling of the account only after replication takes place.

This behavior can cause some unintended consequences. For one, if you lock out a user -- or if password invalidation or some other trigger automatically locks out a user -- replication for that account takes place immediately. This is a phenomenon Microsoft calls "urgent replication." Changing a user's password also causes an urgent replication. But, oddly enough, simply disabling an account does not.

So what does that mean? Well, disabled users may find they can still log on, because there are other domain controllers that will honor their user accounts. If security is a big issue for your organization, this can be a problem, especially if you are dealing with slow replication over wide-area networks. Suppose you disable a disgruntled former employee, for instance, and that person finds he can still log on. Yikes!

For the sake of security, the best way to insure that a disabled account is disabled throughout your domain is to change the password in addition to disabling the account. This can be done with a batch file, which might read like so:

net user %1 /active:no /domain
net user %1 bogus123 /domain

If you use this batch file with the user's name supplied as a command-line parameter, the account is disabled and then its password changed to bogus123, which insures that replication will take place. Admittedly, you may not be comfortable with the idea of changing the password on a locked-out account to something fixed (even if the account is locked out). If so, simply replace bogus123 in the second line of the script with %2. This allows the administrator to supply both a username and a new, wholly arbitrary password.

Serdar Yegulalp is the editor of the Windows 2000 Power Users Newsletter. Check out his Windows 2000 blog for his latest advice and musings on the world of Windows network administrators – please share your thoughts as well!

Rate this Tip
To rate tips, you must be a member of SearchWinIT.com. Register now to start rating these tips. Log in if you are already a member.
Submit a Tip

Digg This!

StumbleUpon

Del.icio.us

RELATED RESOURCES

	2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
	Search Bitpipe.com for the latest white papers and business webcasts
	Whatis.com, the online computer dictionary

DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

Windows Technology Updates, Reviews and Solutions

Laptop Discounts with free coupon codes, huge savings at Notebook Review

SEARCH

TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.


TechTarget Corporate Web Site \| Media Kits \| Site Map All Rights Reserved, Copyright 1999 - 2009, TechTarget \| Read our Privacy Policy