Disable or Enable an AD LDS User

Applies To: Windows Server 2008

When you disable and enable an Active Directory Lightweight Directory Services (AD LDS) user, you control whether that user can bind to the AD LDS directory. You use the ADSI Edit snap-in to disable and enable AD LDS users.

Membership in the Administrators group of the AD LDS instance is the minimum required to complete this procedure. By default, the security principal that you specify as the AD LDS administrator during AD LDS setup becomes a member of the Administrators group in the configuration partition.

To disable or enable an AD LDS user

  1. To open ADSI Edit, on a computer with the AD LDS server role installed, click Start, click Administrative Tools, and then click ADSI Edit.

  2. Connect and bind to an AD LDS instance. For more information, see Manage an AD LDS Instance Using ADSI Edit.

  3. Browse to the AD LDS user that you want to disable or enable, right-click that user, and then click Properties.

  4. In Attributes, click msDS-UserAccountDisabled, and then click Edit.

  5. Do one of the following, and then click OK:

    • To disable the AD LDS user, click True.

    • To enable the AD LDS user, click either False or Not set.

Note

By default, an AD LDS user is enabled when the user is created. However, if you assign a new AD LDS user a password that does not meet the password policy restrictions in effect on the local server or domain, that AD LDS user will be disabled by default.

Note

If the AD LDS user that you want to enable or disable is currently logged on to the AD LDS instance, that user must log off for the new setting to take effect.