- Create a new text file and rename it to something.bat. This is the start of your batch script file that you'll schedule later on.
- Right-click your .bat file and select Edit. This should open the file in notepad so you can enter your command
- Enter dsmod user USER_DN -disabled (yes|no) into your batch file. To expand on what this means:
- dsmod user is required. This uses the directory services modify program built into your server,a and also says it will be a user change.
- USER_DN represents the DN of the user you want to disable within your Active Directory structure. Say your Active Directory domain is domain.com, your user is named Test User, and the user exists in the OU named DomUsers. Your USER_DN value would be CN=Test User,OU=DomUsers,DC=domain,DC=com
- -disabled is required because it defines which property for the user that you are changing
- (yes|no) means to select yes or no, whichever one you want to set disabled equal to
- Save your batch file
- Use Windows Scheduled Tasks to schedule the file. You can browse out and select it, then pick the schedule you want it to run.
Here are two basic examples of the command using the information above
To disable Test User the command is
dsmod user "CN=Test User,OU=DomUsers,DC=domain,DC=com" -disabled yes
And to enable Test User
dsmod user "CN=Test User,OU=DomUsers,DC=domain,DC=com" -disabled no
Notice that I put the USER_DN in quotes. This is because there are spaces. You're best off using quotes around the USER_DN regardless since it will work with the quotes regardless or spaces.
Also, if your user is buried in multiple OUs, just add them to the DN. If Test User had been in three tiers of OUs, such as a top-level named USA, a mid-level named MN, and a bottom-level named DomUsers, the USER_DN value would be CN=Test User,OU=DomUsers,OU=MN,OU=USA,DC=domain,DC=com
To see the Microsoft KB article outlining doing this with dsmod, click here
