Skip to main content

How to Disable a Computer Account in Active Directory in Batch Script

Disabling a computer account is a critical security and administrative task. When a laptop is reported stolen, a desktop is decommissioned, or a server is taken offline indefinitely, you must revoke its ability to authenticate with the Domain Controller to prevent unauthorized access. While you can right-click an object in the "Active Directory Users and Computers" GUI, a Batch script allows you to automate this for bulk retirements or as part of a standardized "Asset Disposal" workflow. This guide explains how to use the dsmod utility to disable computer accounts.

Why Disable Computer Accounts?

  • Theft Response: Instantly revoking the trust relationship of a missing laptop to protect company data before it can be used on the network.
  • Decommissioning Automation: Disabling a computer object as part of a larger cleanup script that also deletes the machine's DNS records and SCCM data.
  • Security Quarantine: Disabling a computer that has been flagged for malware or suspicious activity to isolate it from domain resources.
Tool Availability

The dsmod command is part of the Remote Server Administration Tools (RSAT). It must be installed on your workstation to modify computer objects from the command line.

Method 1: Disabling a Computer via DN

The dsmod computer utility requires the "Distinguished Name" (DN) of the machine you want to disable.

@echo off
setlocal

:: Check for RSAT tools
where dsmod >nul 2>&1
if %errorlevel% neq 0 (
    echo [ERROR] dsmod.exe not found. Install RSAT tools first.
    echo [HELP] Settings ^> Apps ^> Optional Features ^> Add RSAT
    pause
    exit /b 1
)

:: Check for admin rights
net session >nul 2>&1
if %errorlevel% neq 0 (
    echo [ERROR] Administrator privileges are required.
    pause
    exit /b 1
)

set "COMPUTER_DN=CN=PC-FINANCE-01,OU=Workstations,DC=Company,DC=com"

echo [PROCESS] Disabling computer account...
echo   Target: %COMPUTER_DN%
echo.

:: -disabled yes = Revokes the machine's ability to log on
dsmod computer "%COMPUTER_DN%" -disabled yes

if %errorlevel% equ 0 (
    echo [SUCCESS] Computer account is now disabled.
    echo [NOTE] Users will no longer be able to log in with domain
    echo        credentials on this machine.
) else (
    echo [ERROR] Failed to modify object. Code: %errorlevel%
    echo [HELP] Verify the DN and that you have Write permissions.
)
pause

Method 2: Finding and Disabling by Name

Since technicians rarely know the full DN of a computer, you can combine dsquery and dsmod to find and disable a machine using just its simple name.

@echo off
setlocal EnableDelayedExpansion

set /p "PC_NAME=Enter computer name to disable: "

if "!PC_NAME!"=="" (
    echo [ERROR] No name entered.
    pause
    exit /b 1
)

:: Check for RSAT tools
where dsquery >nul 2>&1
if %errorlevel% neq 0 (
    echo [ERROR] RSAT tools not found.
    pause
    exit /b 1
)

:: Verify the computer exists
set "PC_DN="
for /f "tokens=*" %%d in ('dsquery computer -name "!PC_NAME!" 2^>nul') do set "PC_DN=%%d"

if not defined PC_DN (
    echo [ERROR] Computer "!PC_NAME!" not found in Active Directory.
    pause
    exit /b 1
)

echo [PROCESS] Disabling: !PC_DN!
echo.

dsmod computer !PC_DN! -disabled yes

if !errorlevel! equ 0 (
    echo [SUCCESS] "!PC_NAME!" has been disabled in Active Directory.
) else (
    echo [ERROR] Failed to disable. Check permissions.
)
pause

Creating a Retirement Tool

This professional script validates inputs, confirms the action, disables the computer, and adds a decommission note.

@echo off
setlocal EnableDelayedExpansion

echo ============================================================
echo   Active Directory Asset Retirement Utility
echo ============================================================

:: 1. Verify RSAT tools
where dsquery >nul 2>&1
if %errorlevel% neq 0 (
    echo [ERROR] RSAT tools not found.
    pause
    exit /b 1
)

:: 2. Verify Administrative Rights
net session >nul 2>&1
if %errorlevel% neq 0 (
    echo [CRITICAL] Elevated permissions required for account management.
    pause
    exit /b 1
)

:: 3. Get target
set /p "TARGET=Name of Computer to Disable: "

if "!TARGET!"=="" (
    echo [ERROR] No name entered.
    pause
    exit /b 1
)

:: 4. Find the computer
echo.
echo [PROCESS] Searching for "!TARGET!" in Active Directory...

set "COMP_DN="
for /f "tokens=*" %%a in ('dsquery computer -name "!TARGET!" 2^>nul') do set "COMP_DN=%%a"

if not defined COMP_DN (
    echo [FAIL] Computer "!TARGET!" was not found in the domain.
    pause
    exit /b 1
)

echo [FOUND] !COMP_DN!
echo.

:: 5. Show current status
echo [CURRENT] Account status:
dsget computer !COMP_DN! -disabled -desc 2>nul | findstr /v /i /c:"dsget succeeded"
echo.

:: 6. Confirm before disabling
set /p "CONFIRM=Disable this computer account? (Y/N): "
if /i not "!CONFIRM!"=="Y" (
    echo [INFO] Cancelled. No changes made.
    pause
    exit /b 0
)

:: 7. Disable and add description
echo.
echo [PROCESS] Disabling account...
dsmod computer !COMP_DN! -disabled yes -desc "Decommissioned %DATE% by %USERNAME%" >nul 2>&1

if !errorlevel! equ 0 (
    echo [SUCCESS] "!TARGET!" is now DISABLED.
    echo.
    echo [VERIFY] Updated status:
    dsget computer !COMP_DN! -disabled -desc 2>nul | findstr /v /i /c:"dsget succeeded"
    echo.
    echo [RECOMMEND] Consider moving to a quarantine OU:
    echo   dsmove !COMP_DN! -newparent "OU=Disabled_Computers,DC=Domain,DC=com"
) else (
    echo [ERROR] Failed to disable. Code: !errorlevel!
    echo [HELP] Verify permissions and check if the object is protected
    echo        from accidental deletion.
)

echo ============================================================
pause

Common Pitfalls and How to Avoid Them

Administrative Rights

Modifying computer accounts in Active Directory is a highly privileged operation. You must run your script with an account that has "Write" permissions on the computer object (usually a Domain Admin or delegated technician).

Disabling vs. Deleting

Disabling an account is usually safer than deleting it. A disabled account can be "Re-enabled" in seconds if a mistake was made, whereas a deleted account loses its SID and requires the machine to be rejoined to the domain.

SEO and UX Tip

Advise your users that for decommissioned hardware, they should Disable the account first and wait 30 days. If the machine truly isn't needed, they can then safely proceed with the Delete command (dsdel).

Best Practices for Asset Management

  1. Move to Quarantine OU: When disabling a machine, it's a best practice to also move it to a "Terminated" or "Old Objects" OU so it doesn't clutter your active directory structure.
  2. Add a Description: Always add a comment to the object when you disable it: dsmod computer <DN> -disabled yes -desc "Decommissioned on %DATE% per Ticket #1234".
  3. Audit Disabled Accounts: Periodically run a script to list all disabled computers: dsquery computer -disabled. If an account has been disabled for over 6 months, it is a candidate for deletion.
User Impact

Note that once a computer account is disabled, users will no longer be able to log in to that specific machine with domain credentials. They will receive an error: "The trust relationship between this workstation and the primary domain failed."

Conclusion

Disabling a computer account via Batch script is a fundamental requirement for maintaining a secure and professional enterprise network. By leveraging the dsmod utility to automate the deactivation of assets, you can ensure that your organization's digital perimeter is resilient against unauthorized access from stolen or retired hardware. This professional approach to system management reduces manual effort, simplifies the decommissioning of old equipment, and provides a clear, automated mechanism for handling security incidents across the entire Windows domain.

Table of Contents