When you disable a user account in Active Directory and you have more than one domain controller, the disabling...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
only takes place immediately on that particular user's domain controller. The other domain controllers will reflect the disabling of the account only after replication takes place.
This behavior can cause some unintended consequences. For one, if you lock out a user -- or if password invalidation or some other trigger automatically locks out a user -- replication for that account takes place immediately. This is a phenomenon Microsoft calls "urgent replication." Changing a user's password also causes an urgent replication. But, oddly enough, simply disabling an account does not.
So what does that mean? Well, disabled users may find they can still log on, because there are other domain controllers that will honor their user accounts. If security is a big issue for your organization, this can be a problem, especially if you are dealing with slow replication over wide-area networks. Suppose you disable a disgruntled former employee, for instance, and that person finds he can still log on. Yikes!
For the sake of security, the best way to insure that a disabled account is disabled throughout your domain is to change the password in addition to disabling the account. This can be done with a batch file, which might read like so:
net user %1 /active:no /domain
net user %1 bogus123 /domain
If you use this batch file with the user's name supplied as a command-line parameter, the account is disabled and then its password changed to bogus123, which insures that replication will take place. Admittedly, you may not be comfortable with the idea of changing the password on a locked-out account to something fixed (even if the account is locked out). If so, simply replace bogus123 in the second line of the script with %2. This allows the administrator to supply both a username and a new, wholly arbitrary password.
Serdar Yegulalp is the editor of the Windows 2000 Power Users Newsletter. Check out his Windows 2000 blog for his latest advice and musings on the world of Windows network administrators – please share your thoughts as well!