[gptalk] Re: Automatic Disabling of AD Computer accounts

  • From: Thorbjörn Sjövold <thorbjorn.sjovold@xxxxxxxxxxxxxxx>
  • To: "gptalk@xxxxxxxxxxxxx" <gptalk@xxxxxxxxxxxxx>
  • Date: Thu, 11 Oct 2007 10:26:31 +0200

I do not think there are such a solution available, the problem here would be 
that this would be something that need to run in AD and not on the computers 
where the GP CSEs reside and execute, in theory it might be possible for a 
computer to disable itself from a startupscript, but the other way around it 
tough for obvious reasons J. The problem is similar to the situation with the 
Password Policy GP setting that actually executes on the Domain Controllers.

 I normally prefer using GP compared to "external" solutions, but a workaround 
could be  a small script or program that runs as a scheduled job on a DC that 
does the trick, although you need to take into consideration that there could 
be disabled computers in other OUs for other reasons etc. Also unless you use 
the DirSync control to monitor changes, you will also have to live with a 
polling solution so it the change will not be immediate.

Thorbjörn Sjövold
Special Operations Software
thorbjorn.sjovold a t specopssoft.com

Download our free tool for remote Gpupdate with graphical reporting, 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Ray Lewis
Sent: den 11 oktober 2007 09:38
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Automatic Disabling of AD Computer accounts

Hi all...

Is there a GPO rule I can tag to an OU that will "automatically" disable the 
computer accounts within it? For example, as soon as a machine is moved into 
that OU, it becomes disabled and cant be re-enabled unless moved.

Cheers guys...


Other related posts: