Disabling user accounts? Apply behavior modification

When you disable a user account in Active Directory and you have more than one domain controller, the disabling only takes place immediately on that particular user's domain controller. The other domain controllers will reflect the disabling of the account only after replication takes place.

This behavior can cause some unintended consequences. For one, if you lock out a user -- or if password invalidation or some other trigger automatically locks out a user -- replication for that account takes place immediately. This is a phenomenon Microsoft calls "urgent replication." Changing a user's password also causes an urgent replication. But, oddly enough, simply disabling an account does not.

So what does that mean? Well, disabled users may find they can still log on, because there are other domain controllers that will honor their user accounts. If security is a big issue for your organization, this can be a problem, especially if you are dealing with slow replication over wide-area networks. Suppose you disable a disgruntled former employee, for instance, and that person finds he can still log on. Yikes!

For the sake of security, the best way to insure that a disabled account is disabled throughout your domain is to change the password in addition to disabling the account. This can be done with a batch file, which might read like so:

net user %1 /active:no /domain
net user %1 bogus123 /domain

If you use this batch

Requires Free Membership to View

file with the user's name supplied as a command-line parameter, the account is disabled and then its password changed to bogus123, which insures that replication will take place. Admittedly, you may not be comfortable with the idea of changing the password on a locked-out account to something fixed (even if the account is locked out). If so, simply replace bogus123 in the second line of the script with %2. This allows the administrator to supply both a username and a new, wholly arbitrary password.

Serdar Yegulalp is the editor of the Windows 2000 Power Users Newsletter. Check out his Windows 2000 blog for his latest advice and musings on the world of Windows network administrators – please share your thoughts as well!

This was first published in November 2003

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.