Share via


Disable or Enable a Computer Account

Applies To: Windows Server 2008

Membership in Account Operators, Domain Admins, or Enterprise Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

Disabling or enabling a computer account

  • Using the Windows interface

  • Using a command line

To disable or enable a computer account using the Windows interface

  1. To open Active Directory Users and Computers, click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.

  2. In the console tree, click Computers.

    Where?

    • Active Directory Users and Computers/domain node/Computers

    Or, click the folder that contains the computer account that you want to enable or disable.

  3. In the details pane, right-click the desired computer account, and then do one of the following:

    • To disable the account, click Disable Account.

    • To enable the account, click Enable Account.

Additional considerations

  • To perform this procedure, you must be a member of the Account Operators group, Domain Admins group, or Enterprise Admins group in Active Directory Domain Services (AD DS), or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure.

  • Another way to open Active Directory Users and Computers is to click Start, click Run, and then type dsa.msc.

  • When you disable a computer account, the computer cannot authenticate to the domain until it has been enabled.

Additional references

To disable or enable a computer account using a command line

  1. To open a command prompt, click Start, click Run, type cmd, and then click OK.

  2. Type the following command, and then press ENTER:

    dsmod computer <ComputerDN> -disabled {yes|no}
    
Parameter Description

<ComputerDN>

Specifies the distinguished names of the computer account that you want to disable or enable.

-disabled

Sets the disabled (yes) or the enabled (no) value for the specified computer account.

{yes|no}

Specifies whether the computer account is disabled for log on (yes) or not (no).

To view the complete syntax for this command, and for information about entering user account information, at a command prompt, type the following, and then press ENTER:

dsmod computer /?

Additional considerations

  • To perform this procedure, you must be a member of the Account Operators group, Domain Admins group, or the Enterprise Admins group in AD DS, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure.

  • When you disable a computer account, the computer account cannot authenticate to the domain until it has been enabled.

Additional references