Disable or Enable a User Account

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012

  • To prevent a particular user from logging on for security reasons, you can disable user accounts rather than deleting them.

Membership in Account Operators , Domain Admins , or Enterprise Admins , or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at https://go.microsoft.com/fwlink/?LinkId=83477.

Disabling or enabling a user account

  • Using the Windows interface

  • Using a command line

To disable or enable a user account using the Windows interface

  1. To open Active Directory Users and Computers, click Start , click Control Panel , double-click Administrative Tools , and then double-click Active Directory Users and Computers .

    To open Active Directory Users and Computers in Windows Server® 2012, click Start , type dsa.msc .

  2. In the console tree, click Users .

    Where?

    • Active Directory Users and Computers\ domain node \Users

    Or, click the folder that contains the user account.

  3. In the details pane, right-click the user.

  4. Depending on the status of the account, do one of the following:

    • To disable the account, click Disable Account .

    • To enable the account, click Enable Account .

Additional considerations

  • To perform this procedure, you must be a member of the Account Operators group, Domain Admins group, or Enterprise Admins group in Active Directory Domain Services (AD DS), or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure.

  • Another way to open Active Directory Users and Computers is to click Start , click Run , and then type dsa.msc .

  • By creating disabled user accounts with common group memberships, you can use disabled user accounts as account templates to simplify user account creation.

  • You can also perform the task in this procedure by using the Active Directory module for Windows PowerShell. To open the Active Directory module, click Start , click Administrative Tools , and then click Active Directory Module for Windows PowerShell .

    To open the Active Directory module for Windows PowerShell in Windows Server 2012, open Server Manager , click Tools and then click Active Directory Module for Windows PowerShell .

    For more information, see Disable or Enable a User Account (https://go.microsoft.com/fwlink/?LinkId=138374). For more information about Windows PowerShell, see Windows PowerShell (https://go.microsoft.com/fwlink/?LinkID=102372).

Additional references

To disable or enable a user account using a command line

  1. To open a command prompt, click Start , click Run , type cmd , and then click OK .

    To open a command prompt in Windows Server 2012, click Start , type cmd , and then click OK .

  2. Type the following command, and then press ENTER:

    dsmod user <UserDN> -disabled {yes|no}
    
Parameter Description

<UserDN>

Specifies the distinguished name of the user object to be added.

-disabled

Sets the value of UF_ACCTDISABLED in userAccountControl.

{yes|no}

Specifies whether the user account is disabled for logon ( yes ) or not ( no ).

To view the complete syntax for this command, and for information about entering user account information, at a command prompt, type the following command, and then press ENTER:

dsmod user /? 

Additional considerations

  • To perform this procedure, you must be a member of the Account Operators group, Domain Admins group, or Enterprise Admins group in AD DS, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure.

  • By creating disabled user accounts with common group memberships, you can use disabled user accounts as account templates to simplify user account creation.

  • You can also perform the task in this procedure by using the Active Directory module for Windows PowerShell. To open the Active Directory module, click Start , click Administrative Tools , and then click Active Directory Module for Windows PowerShell .

    To open the Active Directory module for Windows PowerShell in Windows Server 2012, open Server Manager , click Tools and then click Active Directory Module for Windows PowerShell .

    For more information, see Disable or Enable a User Account (https://go.microsoft.com/fwlink/?LinkId=180668). For more information about Windows PowerShell, see Windows PowerShell (https://go.microsoft.com/fwlink/?LinkID=102372).

Additional references