Managing User Accounts

Microsoft® Windows® 2000 Scripting Guide

After you create a user account, assign it a password, and configure password attributes for it, the next important step in preparing the account for user access is to enable it. By default, a user account is disabled if you create a user account and specify only the sAMAccountName mandatory attribute. A user cannot log on with the user account until you specifically enable it.

For security, you might want to disable an enabled user account if the user of the account will not be logging on to the network for an extended period of time or if, after a period of user account inactivity, you will be reassigning an existing user account to another user.

For both security and troubleshooting, it is useful to check user accounts for their enabled or disabled status. A user account that you specifically disabled should stay that way until it will be used again. Otherwise, a dormant user account that is enabled increases the vulnerability of your network to unauthorized access. Using a script, you can periodically check the status of user accounts that should be disabled. If a user is having trouble logging on to the network, you can use a script to determine whether the user account is enabled.

Using the ADS_UF_ACCOUNTDISABLE flag, you can display or configure the disabled status of a user account. This flag contains the decimal value 2 when an account is disabled and 0 when it is enabled. The ADS_UF_ACCOUNTDISABLE flag is stored in the userAccountControl attribute of each user account object.

For a list of attributes that are enabled automatically when a user account is created, see "Creating User Accounts" earlier in this chapter.