Disabling user account

  • Thread starter Thread starter mani
  • Start date Start date
M

mani

I would like to know how to diable an account when it is place into an OU I
can created? I would like to accomplish this via GPO. Does anyone have
any suggestion?
 
mani said:
I would like to know how to diable an account when it is place into an OU I
can created? I would like to accomplish this via GPO. Does anyone have
any suggestion?
Click to expand...

It (probably) doesn't really make sense to disable an
account through a GPO.

First, who or what would you link the GPO to? When,
if ever, would it be applied?

If now, why not just disable the account?

When would it STOP being applied?

What are you really trying to accomplish, other
than disabling some specific account?
[/QUOTE]
 
I have a script that I use to disable a user account, move it to a "disabled
users OU" , deletes the home folder on whatever server it exists on, removes
the terminal server home folder if it exists and replicates the change to the
domain controller the user logs on to to make sure the account is disabled
"out there" in their office immediatly, instead of when the normal
replication would take place.

I would do something similar in your case.
 
ylekiot1 Wyle E Coyote said:
I have a script that I use to disable a user account, move it to a "disabled
users OU" , deletes the home folder on whatever server it exists on, removes
the terminal server home folder if it exists and replicates the change to the
domain controller the user logs on to to make sure the account is disabled
"out there" in their office immediatly, instead of when the normal
replication would take place.

I would do something similar in your case.
Click to expand...

I would NOT include the DISABLE in the script or
depend on the GPO in any way for the disable.

Remember, the GPO will not apply to network connections
that don't constitute a logon so a supposedly disabled user
would still be able to make network only connections.

The idea of the disabled GPO is not a bad one, but one of
the steps should be to also manually disable the user's account.
 
circa Fri, 3 Dec 2004 15:12:28 -0600, in
microsoft.public.win2000.active_directory, Herb Martin
([email protected]) said,
I would NOT include the DISABLE in the script
Click to expand...

Why? It sounds like it is the entire purpose of this poster's script
(and note that this is not the same person who posted the question
originally).
or
depend on the GPO in any way for the disable.
Click to expand...

The person to whom you are responding does not do so, as far as I can
tell.
Remember, the GPO will not apply to network connections
that don't constitute a logon so a supposedly disabled user
would still be able to make network only connections.
Huh?

The idea of the disabled GPO is not a bad one, but one of
the steps should be to also manually disable the user's account.
Click to expand...

Huh?

Am I missing something? The post to which you are responding doesn't
say anything at all about using a GPO. It suggests scripting the
disable, which is the same suggestion the original poster has been
given in the other newsgroups where s/he posted the question. Did I
miss a post somewhere?

Thanks,

Laura
 
--
Herb Martin


Why? It sounds like it is the entire purpose of this poster's script
(and note that this is not the same person who posted the question
originally).
Click to expand...

The reasons were given in my previous message (2 back
from me now in this thread.)
Huh?
Click to expand...

Which part don't you understand?

GPOs are not invoked for network authentications
which are not part of a logon (at a machine or through
terminal services.)

So were one to depend on a GPO to apply the DISABLE
then the account might remain Enabled far longer than
desired.
Huh?

Am I missing something?
Click to expand...

Probably.
 
circa Sun, 5 Dec 2004 22:42:10 -0600, in
microsoft.public.win2000.active_directory, Herb Martin
([email protected]) said,
The reasons were given in my previous message (2 back
from me now in this thread.)
Click to expand...

And you're responding to a message that has nothing to do with that;
the poster recommended a *script*.
Which part don't you understand?
Click to expand...

The part where you discuss GPOs with somebody who recommended a
scripting solution.
GPOs are not invoked for network authentications
which are not part of a logon (at a machine or through
terminal services.)

So were one to depend on a GPO to apply the DISABLE
then the account might remain Enabled far longer than
desired.


Probably.
Click to expand...
Actually, I think you are, but I was being polite.

Laura
 
Back
Top