How to Manage User Accounts in Active Directory. Part 3: Enabling, Disabling and Setting Expiration Period for Accounts
Users are one of the most popular objects in AD. They are used for authentication and authorization onworkstations. Also, in many services which are integrated with AD. User management is the main routine for sysadmins and helpdesk specialists. This guide helps to manage such objects in multiple ways. For managing users there is a need to install RSAT tools or manage them from your DC. You have to be signed under domain admin or an Account Operators user or with delegation rights to create objects in the current OU.
How to Enable and Disable a User Account in Active Directory
If you want to stop a user logging into their workstation you can disable it, but you need it again for some reason, for example, an employee returned from maternity leave, you can enable it again. Here is the guide to do that in multiple ways.
Enabling and Disabling a User Account Using Active Directory Users and Computers
To enable/disable a user in ADUC, follow these steps:
In ADUC (dsa.msc). Determine the OU or container storing needed accounts. Rightclick it and select Find.... In the Name field, type the name of the user account and then click Find Now... From the list of Search results, select the needed user object, right-click it and select Enable account or Disable account depending on what you need right now and click OK.
Enabling/Disabling a User Account Using cmd.exe
These tasks are for dsmod.exe, use it with the following settings to enable an account.
dsmod.exe "CN=GSoul,CN=Users,DC=office,DC=local" -disabled no
And this will disable it:
dsmod.exe user "CN=GSoul,CN=Users,DC=office,DC=local" -disabled yes
Enabling and Disabling a User Account Using Windows PowerShell
Here is the PowerShell code to enable a user account:
Enable-ADAccount -Identity "CN=GRobinson,CN=Users,DC=office,DC=local"
And this one is for disabling a user account:
Disable-ADAccount -Identity "CN=GRobinson,CN=Users,DC=office,DC=local"
How to Set Account Expiration Period to a User Account
User accounts can be set to automatically expire after certain period of time.
Setting Account Expiration Period in ADUC
To set account expiration in ADUC, follow these simple steps:
In ADUC (dsa.msc) go to the OU or container with needed user account. Rightclick it and select Find.... In the Name field, type the name of the user account and then click Find Now... From the list of Search results, select the needed user object. Right-click it and select Properties. Select the Account tab, at the bottom of this tab, change the Never option for “Account expires:” to End of:, and select needed date. Click OK to save the changes.
Setting Account Expiration Period Using cmd.exe
Use the dsmod.exe to set the quantity of days before an account expires:
dsmod.exe user "CN=GSoul,CN=Users,DC=office,DC=local" -acctexpires 90
Setting Account Expiration Period Using Windows PowerShell
To set user expiration period in Employees OU execute the following PowerShell script:
Set-ADAccountExpiration -Identity "CN=GSoul,OU=Employees,DC=office,DC=local" -DateTime "11/11/2021 12:00:00"