Windows Server

Disable user accounts with Windows Server 2003

There are two ways to disable a user account in Windows Server 2003. The first approach takes effect immediately, and the second happens on a time schedule at the end of the specified day. The latter method allows Windows to handle the action of disabling the account. Derek Schauland explains each process.

When an employee leaves your organization, it may be important to remove the user account. The company may make the case to delete a user account after so many days or weeks, but there may be times when you may want to disable rather than delete a user's account.

There are two ways to disable a user account in Windows Server 2003. The first approach takes effect immediately, and the second happens on a time schedule at the end of the specified day. The latter method allows Windows to handle the action of disabling the account. This might be useful if a user is leaving for a different position and has given notice. Disabling an account prevents the account from receiving e-mail (if e-mail properties have been configured), and it prevents the user from logging on or accessing network resources. If anyone needs to access the disabled account for any reason, you can simply turn it back on.

To disable a user account immediately, follow these steps:

  1. Open Active Directory Users And Computers.
  2. In the right pane of the Active Directory Users And Computers window, right-click the user account you want to disable and select Disable. You will see a dialog box letting you know that the account is now disabled.
  3. After you see a dialog box letting you know that the account is disabled, click OK.

To set a user account to disable at the end of a specified date, follow these steps:

  1. Open Active Directory Users And Computers.
  2. In the right pane of the Active Directory Users And Computers window, right-click the user account name you wish to disable and select Properties.
  3. Click the Account tab in the user account properties box.
  4. In the box near the bottom of the Account tab, select the date you want the account to disable, and then click OK.

Deleting a user account removes all of the attributes of the user object from Active Directory. If a user object gets deleted from Active Directory, you will need to create a new user and add all the needed properties, as well as a new Security Identifier in case the user returns to the company.

Note: In order to take effect completely, both types of account changes will need to be replicated throughout your Active Directory environment. If there are issues with directory replication, you may see the reappearance of deleted accounts or re-enabling of disabled accounts.

If you have no further need for an account after a period of time, you can delete the user account object by following these steps:

  1. Open Active Directory Users And Computers.
  2. Right-click the User Account Object you wish to delete.
  3. Select Delete from the Context menu.
  4. Click Yes when asked if you want to delete the object.

Miss a Windows Server 2003 tip?

Check out the Windows Server 2003 archive, and catch up on the most useful tips from this newsletter.

Stay on top of the latest Windows Server 2003 tips and tricks with our free Windows Server newsletter, delivered each Wednesday. Automatically sign up today!

About

Derek Schauland has been tinkering with Windows systems since 1997. He has supported Windows NT 4, worked phone support for an ISP, and is currently the IT Manager for a manufacturing company in Wisconsin.

22 comments
lcsgeek
lcsgeek

What about mapped drives? I want to disable an account imediately and not allow them to blow away thier home directory data. How is this accomplished? Disabling the account doesn't cut it.

DoubleJava
DoubleJava

Good article. However, there is one error. A disabled user account does continue to receive email. While the disabled user may not be able to access the email (because they can't login), new email does continue to be routed to the account's associated mailbox. Therefore, when disabling a user account, you may want to either delete the account's associated mailbox (without deleting the user account), or you may want to configure forwarding on the account so that email gets routed to another individual.

varun
varun

that was useful..

bob.greenwood
bob.greenwood

Disable or delete the account. I've seen where the accounts have been left active after some one leaves. I'm talking about 50+ accounts being still active.

wayne.oliver.ctr
wayne.oliver.ctr

Microsoft has an article 903158 on disabled accounts in an Exchange 2003 AD environment. It outlines a corrective hotfix to allow disabled accounts to continue receiving email and additional functionallity that is worth a read.

The Listed 'G MAN'
The Listed 'G MAN'

so why write an article about this? If you don't know how to disable or delete an account you should not be using the system at all. May as well tell them how to copy a file from one folder to another next... PS: Sorry if this sounds harsh but I don't see the point here.

uhuser
uhuser

Is this not the default setting?

techless
techless

I manage lots of accounts - and I disable and delete lots of accounts ... but I had completely forgotten about setting date and times!! Thanks ...

Master G
Master G

Most of all posts here list your name and your "actual" positions in your workforce. This is very basic and everyone of us should know by the moment we acquired the title "Administrator" in our different entities. So that been said, the post is really good and also really basic, therefore, rendering it obsolete. Thanks all.

phil
phil

As with others who have already replied I disagree and hope that you've simply misunderstood the point of the post. It wasn't to teach us the simple ABC of domain management but to introduce a new method that possibly some of us where unaware. When was the last time you had five minutes to find a new method of doing a task as "basic" as this! I'm repeatedly asked to disable someones account, usually five minutes after they've left - usually the last to know - but at least now when I do know I can schedule in the disabling of the account rather than hanging around for the *moment* they leave.

basy27
basy27

I agree completely!

Bizzo
Bizzo

I agree, I think it is basic admin, but I don't think the slant of the article was how to delete/disable accounts, but more *when* to delete/disable accounts, and to explain the effects of doing each. I've had colleagues delete accounts, only to realise that they had been given the wrong account name, and yes, I've done it also. After that we started to disable them and then after a month, delete. I know this probably is MCSE "bread and butter" stuff, but not being an MCSE, I didn't know it at the time. We learn by our (or others') mistakes!

altaee
altaee

Do you think all peoples born to know this!? I disagree with you and thanks for the artcile. Al, PMP, MCSE, CCVP

StoneSatellite
StoneSatellite

Why would one even entertain the notion that the only folks that traverse these pages are admins with certs. Bottom line is the article is posted for teaching purposes, and should you already know it then great, let it roll off on to the guy who doesn't.

TNsteve
TNsteve

We leave accounts on the system of people that leave the company for a few weeks. Managers may want to review and move email, replacement staff may need to be setup just like the departed user, etc. Since disabling the account restricts incoming emails, what we have done is set the "Log on to..." value on the "Account" tab for the userid to be some text value like "term". So long as you don't have a workstation named "term" then any logon should be stopped. We also reset the password and remove the AccountOperator group from the userid's Security tab. I realize there's several ways to accomplish the same thing. Just sharing...

The Listed 'G MAN'
The Listed 'G MAN'

User x leaves at 5 PM today. I want automatic disabling of that account starting at 5 pm today. How do I do this? The method described in the article is not new. It has been around for quite a while. Looking at may user account would make it clear that it exists without any 'looking up or instruction'.

Bizzo
Bizzo

No, people aren't born to know this. People are trained to know this. Being an MCSE you should know this.

OKNightOwl
OKNightOwl

Thank You for the very level headed reply. Some would just dismiss others who does not know the "Origins of Life (er Net Admin)" as complete bone-heads and unable to learn new stuff. I have probably forgotten more than they ever knew, Lets work on some really OLD Stuff to see where they are, but from time to time I enjoy getting a refresher. Having been an Instructor it is also good to see someone elses approach. Just from your attitude & comment - I would probably enjoy working in your oranization, where others I'm not so certain about. Thanks

laneci
laneci

G-man. We've actually developed a solution for our client. Using vb.net, we check the HR system and LDAP on a regular basis - hourly currently but can be run more often. The process only takes seconds to complete. When we find a user in LDAP that is set to terminated in the HR system, we programmatically disable that account in LDAP thus preventing things get missed in the "exiting employee" process. Obviously, employees have more and more access to critical systems and prompt termination of network access is required (like it or not). www.praecipioconsulting.com

Editor's Picks