Monday, November 26, 2012

Disable an Active Directory account on a schedule

Every AD Admin knows this thing. Request 891237843 ->Please disable the User XY on next saturday at 12 pm. Its weekend so don´t waste your time with this things... Here is a guide for creating a schedule task that do this job for you!

First create a batch file like this:

dsmod user "CN=Bad Person,OU=Users,DC=companyX,DC=com" -disabled yes

You have to know the users DN. You can find it in Active Directory Users and Computers (ADUC) in the Users Properties. In the properties select the tab "Attribute Editor" tab and go to  "distinguishedName". Double click on it and copy the value. Replace my sample DN CN=Bad Person,OU=Users,DC=companyX,DC=com in the script with your users DN and save it.

On your DC or on a admin workstation that have DSMOD installed, create a schedule task that run the created batch file.

One example for creating a Schedule Task on Windows Server 2008 R2:
Open the "Task Scheduler" that is located in "Administrative Tools". Right-click "Task Scheduler Libary" and select "Create Task...".

Task Settings:
-General tab
Select "Run whether user is logged on or not"
-Triggers tab
Click on "New..", select "On a schedule" and set the time you want to disable the user.
-Actions tab
Click on "New..", select "Start a program" and "Browse" to your created batch file.

Confirm all by clicking "OK" and entering your credentials or credentials from a task user.

Note: The account that run the task need the required rights to disable a User account.

1 comment:

  1. Nice article, thanks for sharing the helpful information related to disable an active directory account on a schedule. I found the automate tool ( http://www.lepide.com/active-directory-cleaner/ ) which assists to find out old or disable users and computers account in active directory environment and manage inactive accounts and move them to another OU. It allows to automate facilitate to schedule active directory cleanup action and generate the comprehensive report basis on old accounts, never logged on users and real last logon details of accounts.

    ReplyDelete