Re: Disabling an Account

From: Ulf B. Simon-Weidner [MVP] (
Date: 11/12/04

Date: Fri, 12 Nov 2004 23:36:48 +0000

"Douglas Merrill" <> wrote in
> We are using Microsoft Windows Small Business Server 2003 Standard.
> We have a situation where we will need to let a few employees go. I need a
> way to disable or lock their accounts immediately so they will not be
> allowed
> to access network resources even if they have not logged off the
> network.
> I know how to disable an account through Active Directory, but when the
> account has been disabled the user still has the ability to open network
> resources when they have not logged off.
> Any help would be appreciated.

Hello Douglas,

You can write a batch to do that. Here are the commands which might
help you:

Dsmod user "userdn goes here" -disabled yes

Psloggedon (from SysInternals) helps you to figure out on which
computer the account is currently logged on
Psexec (from Sysinternals) helps you to run a command on a remote
Shutdown -l loggs off the current user.

You could try to combine psloggedon to figure out on which computer the
user is logged on, then run psexec to run shutdown -l on that computer
to log him out.

I'm not sure if shutdown -l will work since you connect to the computer
with your credentials, but want the current user to be logged off. If
it does not work just shut down the computer or reboot it.

One issue which is not solved, is that the users would be able to pull
the network cable before logging on, then logging on with their
username/password since they'd be using the locally cached profile and
won't verify if the computeraccount is active with the domain
controller. If you need this solved you'd be able to connect to the
computers where you just logged the user off and move the profile away
on a server. As long as the user has no local stored profile they won't
be a ble to log on in this case.

Hope this helps.

Gruesse - Sincerely,
Ulf B. Simon-Weidner
  MVP-Book "Windows XP - Die Expertentipps":