Re: Disabling an Account

From: Ulf B. Simon-Weidner [MVP] (nospam2-ulf_at_usw-consulting.com)
Date: 11/12/04


Date: Fri, 12 Nov 2004 23:36:48 +0000


"Douglas Merrill" <DouglasMerrill@discussions.microsoft.com> wrote in
message news:DouglasMerrill@discussions.microsoft.com:
> We are using Microsoft Windows Small Business Server 2003 Standard.
>
> We have a situation where we will need to let a few employees go. I need a
> way to disable or lock their accounts immediately so they will not be
> allowed
> to access network resources even if they have not logged off the
> network.
>
> I know how to disable an account through Active Directory, but when the
> account has been disabled the user still has the ability to open network
> resources when they have not logged off.
>
> Any help would be appreciated.

Hello Douglas,

You can write a batch to do that. Here are the commands which might
help you:

Dsmod user "userdn goes here" -disabled yes

Psloggedon (from SysInternals) helps you to figure out on which
computer the account is currently logged on
Psexec (from Sysinternals) helps you to run a command on a remote
machine
Shutdown -l loggs off the current user.

You could try to combine psloggedon to figure out on which computer the
user is logged on, then run psexec to run shutdown -l on that computer
to log him out.

I'm not sure if shutdown -l will work since you connect to the computer
with your credentials, but want the current user to be logged off. If
it does not work just shut down the computer or reboot it.

One issue which is not solved, is that the users would be able to pull
the network cable before logging on, then logging on with their
username/password since they'd be using the locally cached profile and
won't verify if the computeraccount is active with the domain
controller. If you need this solved you'd be able to connect to the
computers where you just logged the user off and move the profile away
on a server. As long as the user has no local stored profile they won't
be a ble to log on in this case.

Hope this helps.

-- 
Gruesse - Sincerely,
Ulf B. Simon-Weidner
  MVP-Book "Windows XP - Die Expertentipps":  http://tinyurl.com/44zcz
  Weblog: http://msmvps.org/UlfBSimonWeidner
  WebSite: http://www.windowsserverfaq.org


Relevant Pages

  • Re: Disabling an Account
    ... "Douglas Merrill" wrote in ... > We are using Microsoft Windows Small Business Server 2003 Standard. ... > to access network resources even if they have not logged off the ... > account has been disabled the user still has the ability to open network ...
    (microsoft.public.windows.server.active_directory)
  • Re: HELP!! An employee can only recieve email within the network
    ... > Recently set up a new user account and mailbox for a new employee. ... > We use Windows 2000 Server, Exchange, ISA, and Small Business Server ... > of the network with little success also. ...
    (microsoft.public.exchange.misc)
  • Re: Trusted SQL Connections & NT AUTHORITYNETWORK SERVICE
    ... SYSTEM account in terms of the credentials it uses on the network. ... hitting a SQL Server on the same machine as the web app. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Problem: No Network Connections under Guest Account
    ... The Guest Account on my other computer seems to ... Sounds like you might have more of an issue with your network than with the ... network connection settings. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: ATTN : Microsoft - Security Event 529....Second Request for help....
    ... According to the events, the logon ... failure is from the local machine account. ... disconnected from the network. ... Security Event ID 529 is a failure audit for logon/logoff. ...
    (microsoft.public.windows.server.sbs)