How Can I Disable a Computer Account?

Hey, Scripting Guy! Question

Hey, Scripting Guy! How can I disable a computer account?

— MD

SpacerHey, Scripting Guy! AnswerScript Center

Hey, MD. You know, our first thought when we read your question was to ask our very own Peter Costantini, a scripting guru who’s done a lot of work with Active Directory. For better or worse, however, Peter’s originally from New Jersey and is a big fan of The Sopranos. Consequently, when we asked him how to disable a computer account he told us, “Well, foist youse takes a baseball bat and cracks ‘em good about the kneecaps ….”

You know, come to think of it, that’s Peter’s solution to every question we pose to him.

Admittedly, there have been plenty of times when we’ve wanted to take a baseball bat to our computer; however, we weren’t exactly sure how to find the computer’s kneecaps. Therefore, we decided to disable a computer account using a script like this instead:

Set objComputer = GetObject(“LDAP://cn=atl-ws-01,cn=computers,dc=fabrikam,dc=com”)

objComputer.AccountDisabled = True

Maybe not as satisfying as whacking your computer with a baseball bat, but quicker, easier, and a lot cheaper to boot. We begin by binding to the computer account we want to disable; in this case that’s a computer named atl-ws-01, which is located in the Computers container in

Set objComputer = GetObject(“LDAP://cn=atl-ws-01,cn=computers,dc=fabrikam,dc=com”)

Notice the syntax we used: cn=computers. It’s important to remember that Users and Computers are not organizational units; that means the syntax ou=Computers will fail. Consequently, we use the cn= syntax instead. If our computer was in an OU (say, the Finance OU) then we’d use the ou= syntax, like so:

Set objComputer = GetObject(“LDAP://cn=atl-ws-01,ou=finance,dc=fabrikam,dc=com”)

After making the connection all we do is set the AccountDisabled attribute to True. (Quick quiz: How could we enable a disabled account? That’ right: set AccountDisabled to False.) We then call the SetInfo method to write the changes back to Active Directory and we’re done.

Important clarification. Peter has pointed out that he doesn’t actually say things like “foist” and “youse,” and said he is tired of people from Washington state making fun of people from New Jersey. With that in mind, he politely asked us to apologize for our disrespect; otherwise, he’d take a baseball bat to our kneecaps. Peter, we apologize.

Comments (2)

  1. AllenRich says:

    Excellent , thanks for sharing most valuable information for disabling a computer account which have not logged in for the past 180 number of days in the organization. I found this active directory cleaner tool (
    which helps to manage them to through automated actions i.e. disable and move inactive accounts to another OU.

Skip to main content