\[Editor's Note: Share your scripting discoveries, comments, problems, solutions, and experiences with products. Email your contributions (500 words or less) to firstname.lastname@example.org. We edit submissions for style, grammar, and length. If we print your submission, you'll get $100.\]
I work as a security administrator in a Windows 2000 Professional and Win2K Active Directory (AD) environment. I often need to disable user logon IDs (i.e., Windows NT IDs) when employees leave the company. However, I don't like using the Microsoft Management Console (MMC) Active Directory Users and Computer snap-in because it requires you to search through all the employees in AD to find the logon IDs you want to disable.
Windows Server 2003's dsmod.exe lets you disable user accounts from the command line. You can also use this tool in Win2K Pro. To disable user accounts, you use the Dsmod User command. This command has many options. In my organization, we use the syntax
where DistinguishedName is the distinguished name (DN) of the user for whom we want to disable the account. We use the -disabled yes option to disable the user account. (You'd specify no if you want to enable the account.)
Entering the DN every time we need to disable a user account is cumbersome because of our extensive organizational unit (OU) hierarchy. So, I wrote a simple script called Disable.vbs that lets us enter the NT ID rather than the DN to disable user accounts. Listing 1 shows an excerpt from Disable.vbs. You can download the entire script from the Windows Scripting Solutions Web site. Go to http://www.windowsitpro.com/windowsscripting, enter InstantDoc ID 44325 in the InstantDoc ID text box, then click the 44325.zip hotlink.
To run this script, we use the command
cscript disable.vbs NtId true|false
where NtId is the user's NT ID. Including the true value disables the user account, whereas including the false value enables it. As callout A in Listing 1 shows, Disable.vbs checks the OU's hierarchy, so you can use it in any organization.