How to enable and disable a Windows domain account using vb script. In our network there are only 2 people who are able to add or manipulate domain users. Every now and then I have wanted to give a non administrator user the ability to enable or disable a user account.
In our case we have a couple of domain user accounts used for external software support companies that VPN into our network to perform tasks. I didn’t want that account being open and accessible all of the time. I realize I could have used logon hours within the account properties to specify what hours the user could and couldn’t log on, but I wanted to the account to only be enabled when the support personel asked for access. I didn’t want to add the person I wanted to be able to enable and disable this account to the domain administrator’s group and I didn’t want to have to install the domain administration tools on their PC so they could do this locally.
After some research I found a really easy way to accomplish this using VB Script. The user that will be running the script will have to have security privileges on the user that they are going to be able to enable or disable. Create a text file and name it whatever you want with .vbs as the extension. Edit the following text in the appropriate places and copy this text into the .vbs file.
Set objUser = GetObject _
(“LDAP://cn=accountname,ou=organizationalunit,dc=domain,dc=domainextension”)
objUser.AccountDisabled = FALSE
objUser.SetInfo
Replace accountname with the user account name, replace organizationalunit with the appropriate organizational unit, domain and domain extension. Save the text file.
Just double click it to execute and viola! Now this is just the bare minimum coding to enable a disabled account it doesn’t come back and let you know it worked or didn’t work. You could get fancy and make it display a message box when it’s finished, but I didn’t feel like going that far.
The following code disables the specified account.
Const ADS_UF_ACCOUNTDISABLE = 2
Set objUser = GetObject _
(“LDAP://cn= accountname,ou= organizationalunit,dc= domain,dc= domainextension “)
intUAC = objUser.Get(“userAccountControl”)
objUser.Put “userAccountControl”, intUAC OR ADS_UF_ACCOUNTDISABLE
objUser.SetInfo
For added security I took the disable account code and made a scheduled task on one of our servers to automatically run this script every day at 4:30pm. That way I know the account gets disabled and don’t have to worry about someone forgetting to disable it.