When you disable a user account in Active Directory and you have more than one domain controller, the disabling only takes place immediately on that particular user's domain controller. The other domain controllers will reflect the disabling of the account only after replication takes place.
This behavior can cause some unintended consequences. For one, if you lock out a user -- or if password invalidation or some other trigger automatically locks out a user -- replication for that account takes place immediately. This is a phenomenon Microsoft calls "urgent replication." Changing a user's password also causes an urgent replication. But, oddly enough, simply disabling an account does not.
So what does that mean? Well, disabled users may find they can still log on, because there are other domain controllers that will honor their user accounts. If security is a big issue for your organization, this can be a problem, especially if you are dealing with slow replication over wide-area networks. Suppose you disable a disgruntled former employee, for instance, and that person finds he can still log on. Yikes!
For the sake of security, the best way to insure that a disabled account is disabled throughout your domain is to change the password in addition to disabling the account. This can be done with a batch file, which might read like so:
net user %1 /active:no /domain
net user %1 bogus123 /domain
If you use this batch
Serdar Yegulalp is the editor of the Windows 2000 Power Users Newsletter. Check out his Windows 2000 blog for his latest advice and musings on the world of Windows network administrators – please share your thoughts as well!
This was first published in November 2003