Disable or Enable an AD LDS User
Applies To: Windows Server 2008
When you disable and enable an Active Directory Lightweight Directory Services (AD LDS) user, you control whether that user can bind to the AD LDS directory. You use the ADSI Edit snap-in to disable and enable AD LDS users.
Membership in the Administrators group of the AD LDS instance is the minimum required to complete this procedure. By default, the security principal that you specify as the AD LDS administrator during AD LDS setup becomes a member of the Administrators group in the configuration partition. For more information about AD LDS groups, see Understanding AD LDS Users and Groups.
To disable or enable an AD LDS user
Open ADSI Edit.
Connect and bind to an AD LDS instance. For more information, see Use ADSI Edit to Manage an AD LDS Instance.
Browse to the AD LDS user that you want to disable or enable, right-click that user, and then click Properties.
In Attributes, click msDS-UserAccountDisabled, and then click Edit.
Do one of the following, and then click OK:
To disable the AD LDS user, click True.
To enable the AD LDS user, click either False or Not set.
Additional considerations
To open ADSI Edit, on a computer with the AD LDS server role installed, click Start, click Administrative Tools, and then click ADSI Edit.
By default, an AD LDS user is enabled when the user is created. However, if you assign a new AD LDS user a password that does not meet the password policy restrictions in effect on the local server or domain, that AD LDS user will be disabled by default.
If the AD LDS user that you want to enable or disable is currently logged on to the AD LDS instance, that user must log off for the new setting to take effect.