Hey, Scripting Guy! How can I determine whether or not the Guest account is enabled on a computer and, if it is, disable it?
— PR
Hey, PR. At last: a question for which there is a very simple, very straightforward answer. This isn’t to minimize the importance of the task: in general, it’s highly recommended that you disable the Guest account on your computers. It’s just nice to have a question where we don’t have to come up with some crazy workaround.
Let’s start with determining whether or not the Guest account is enabled on a computer. To do that, we simply need to bind to the Guest account and then check the value of the AccountDisabled property. How hard is that? Well, it’s no harder than this:
strComputer = “atl-ws-01” Set objUser = GetObject(“WinNT://” & strComputer & “/Guest”)Wscript.Echo “Guest account disabled: ” & objUser.AccountDisabled
That’s right, just three lines of code. We assign the name of the computer (atl-ws-01) to the variable strComputer, then use ADSI and the WinNT provider to bind to the Guest account on that computer. (Note: With the WinNT provider, case is important; don’t type something like winnt … unless, of course, you don’t want a script that actually works). Finally, we echo back the value of the AccountDisabled property. If the Guest account is disabled, then AccountDisabled will be True; if the account is enabled, then AccountDisabled will be False.
See why we liked this question so much?
Of course, you might be thinking, “Well, sure, determining whether the Guest account is enabled is easy, but what about disabling that account? How hard is that going to be?” Well, we have to be honest with you: this is definitely harder. After all, it takes four lines of code rather than just three:
strComputer = “atl-ws-01” Set objUser = GetObject(“WinNT://” & strComputer & “/Guest”)objUser.AccountDisabled = True objUser.SetInfo
As you can see, we bind to the Guest account and set the value of AccountDisabled to True. We then call the SetInfo method to actually write this change to the account, disabling it.
That’s it. If you want to first check the value of the account and then disable it, you can simply combine the scripts, like so:
strComputer = “atl-ws-01” Set objUser = GetObject(“WinNT://” & strComputer & “/Guest”)Wscript.Echo “Guest account disabled: ” & objUser.AccountDisabled
objUser.AccountDisabled = True objUser.SetInfo
Note that no error is generated if you try to disable an account that’s already disabled. Therefore, we simply echo the current account status and then go ahead and disable it. If the account is already disabled, hey, no problem; the script will just gracefully terminate.
0 comments