Disabled users not showing red disabled circle in AD

howdy,

it doesn't show in real time, but the disable is realtime, give the red circle some time for ad to sync

hope that this helps

GPEARL383
BigC666 is right.

Your domain will have to sync before it shows up correctly everywhere. If it's not working as expected then use the REPLMON tool from the support tools pack on the CD (\support) to check that your replication is working ok

Cheers

JamesDS

I've also had an issue where I keep ADUC open for over a week on my computer and things like computers and accounts that have been moved or disabled never show up properly until I close ADUC and open it back up.  Then everything shows properly.

Eagle6990
that is because the ADUC tool doesn't auto refresh, press F5

normal behaviour!


Cheers

JamesDS

Yeah, if I keep it open for more than 2 days it seems it doesn't matter if I refresh or not, it still won't show it properly until I do a full close.

I do relize all of these things about F5 refresh and users not showing up in realtime.  But some of these users have been diabled already for months...what do you think about this...could this be replication problem and if so what is best way to diagnose.  What exactly does REPLMON do?

You should see the red disabled mark if you right click on the user and select disabled. If the account is administratively disabled, such as setting the Account Expiration Date, the account will not show up as disabled.

How are you disabling the accounts?

J

I go in to AD ad find the user - rclick - disable.

All of the users that are disabled are disabled....i can rclick and see "enable account" on the ones that are disabled...just no red circle.  Its funny becasue there does not seem to be any rhyme or reason to this.  Does it matter what server i access AD users and computers from?

It does not matter (or at least it shouldn't), try going into Active Directory Sites and Services and syncronize the domain.

Open the sites;
Open your site;
Open the Domain Controller;
click on NTDS Settings;
Right click on each object on the right and select "replicate now"

Do that for each domain controller

Then reboot your computer and see if that fixes the problem.

If it does not then you may have a syncronization problem.

OK i will try this but cannot do it right now because am running on live network.  I will try tonight and see what happens and post back tomorrow to let you know.    

This will not effect your live environment, syncing the domain is a process that should be occuring regularly. As far as the reboot, I was referring to you own workstation.

J

ok i will try and get back to you with an update

I tried to replicate like you said but nothing happened.  Do you have any other suggestions?  Thanks

GSP

In AD,(in a department OU I have set up) when you rclick - find - then search for a user, if the user is disabled will the disbaled red circle be displayed in the find results?

No, the Find dialog box does not show the disabled user when you use the Windows 2000 Administrative Tools. If you download the Windows 2003 Administrative Tools, you can search for all Disabled Users. In the 2003 version of AD Users and Computers you have a checkbox option in the Find Dialog to show all disabled users. I think you should download and install the pak, if you have Windows XP. Let me know if you can do this, I will tell you how you can build and save queries and do finds, for these things.

Whether you do that or not, I think you need to run DCDIAG:

Download for DCDIAG:
http://www.microsoft.com/downloads/details.aspx?familyid=23870a87-8422-408c-9375-2d9aaf939fa3&displaylang=en

After it is installed, must be installed to a Windows 2000 desktop or server:

open a command prompt; change directory to systemdrive\program files\support tools
type "dcdiag /s:domaincontroller /a /f:dcdiag.txt" ... where domaincontroller is that name of your DC (any DC).. you can do this without affecting users
After that completes run "notepad dcdiag.txt" and view the file, remove anything you believe is confidential and post the results here.



ADMINPAK INFO:



Windows 2003 Administrative tools work great within a Windows 2000 Active Directory, and give you more options. It is a much better toolset but your admin station must be running WIndows XP. If you did not go to Windows XP for your workstation because it did not have the administration tools, now is the time.

Download for Windows 2003 Administration Pack.

http://www.microsoft.com/downloads/details.aspx?familyid=c16ae515-c8f4-47ef-a1e4-a8dcbacff8e3&displaylang=en

JDECLUE:  I am running XP on my desktop machines.  So your saying i can use the 2003admin toolkit on a W2K AD.  Is there any downside to this toolkit.  I thought it was only if you were running Server2003 and 2003 AD?  I am d/l anyway and installing on my xp workstation...lets take a look....

No downside that I am aware of, only upsides as far as I can tell.

J

OK I D/L it and installed on my workstation.  Now when i go to AD users computers and go to find dialog box, where is the search by disabled users box.  I see the advanced button...but i do not see search for disabled.

In the Find Dialog, click on the Find Drop Down box and select "Common Queries"

J

I have to admit it is first time i played with 2003 admin tools and i think they are pretty cool.  Do you know of any articles or whitepapers that i can look into to see other neat tricks not in 2000 admin tools?  

ok cool i will play around with it too...thanks