-
To prevent a particular user from logging on for security reasons, you can disable user accounts rather than deleting them.
Membership in Account Operators, Domain Admins, or Enterprise Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at
Disabling or enabling a user account
 | To disable or enable a user account using the Windows interface |
To open Active Directory Users and Computers, click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.
In the console tree, click Users.
Where?
-
Active Directory Users and Computers\domain node\Users
Or, click the folder that contains the user account.
-
Active Directory Users and Computers\domain node\Users
In the details pane, right-click the user.
Depending on the status of the account, do one of the following:
-
To disable the account, click Disable Account.
-
To enable the account, click Enable Account.
-
To disable the account, click Disable Account.
Additional considerations
-
To perform this procedure, you must be a member of the Account Operators group, Domain Admins group, or Enterprise Admins group in Active Directory Domain Services (AD DS), or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure.
-
Another way to open Active Directory Users and Computers is to click Start, click Run, and then type dsa.msc.
-
By creating disabled user accounts with common group memberships, you can use disabled user accounts as account templates to simplify user account creation.
- You can also perform the task in this procedure by using the Active Directory module for Windows PowerShell. To open the Active Directory module, click Start, click Administrative Tools, and then click Active Directory Module for Windows PowerShell. For more information, see Disable or Enable a User Account (
https://go.microsoft.com/fwlink/?LinkId=138374 ). For more information about Windows PowerShell, see Windows PowerShell (https://go.microsoft.com/fwlink/?LinkID=102372 ).
Additional references
| To disable or enable a user account using a command line |
To open a command prompt, click Start, click Run, type cmd, and then click OK.
Type the following command, and then press ENTER:
dsmod user <UserDN> -disabled {yes|no}
| Parameter | Description |
|---|---|
|
<UserDN> |
Specifies the distinguished name of the user object to be added. |
|
-disabled |
Sets the value of UF_ACCTDISABLED in userAccountControl. |
|
{yes|no} |
Specifies whether the user account is disabled for logon (yes) or not (no). |
To view the complete syntax for this command, and for information about entering user account information, at a command prompt, type the following command, and then press ENTER:
dsmod user /?
Additional considerations
-
To perform this procedure, you must be a member of the Account Operators group, Domain Admins group, or Enterprise Admins group in AD DS, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure.
-
By creating disabled user accounts with common group memberships, you can use disabled user accounts as account templates to simplify user account creation.
- You can also perform the task in this procedure by using the Active Directory module for Windows PowerShell. To open the Active Directory module, click Start, click Administrative Tools, and then click Active Directory Module for Windows PowerShell. For more information, see Disable or Enable a User Account (
https://go.microsoft.com/fwlink/?LinkId=138374 ). For more information about Windows PowerShell, see Windows PowerShell (https://go.microsoft.com/fwlink/?LinkID=102372 ).