# Disabling an Amazon Managed Microsoft AD user Use the following procedure to disable an Amazon Managed Microsoft AD user with user and group management or Amazon Directory Service Data in either the Amazon Web Services Management Console, Amazon CLI, or Amazon Tools for PowerShell. **Important** When you disable a user's account, the user loses any permissions to access their account and applications. **Before you begin either procedure, you need to complete the following:** + [Creating your Amazon Managed Microsoft AD](ms_ad_getting_started.md#ms_ad_getting_started_create_directory). + To use user and group management or Amazon Directory Service Data CLI, it must be enabled. For more information, see [Enable user and group management or Directory Service Data](ms_ad_users_groups_mgmt_enable_disable.md). + You can only enable this feature from the Primary Amazon Web Services Region for your directory. For more information, see [Primary vs additional Regions](https://docs.amazonaws.cn/directoryservice/latest/admin-guide/multi-region-global-primary-additional.html). + You'll need the necessary IAM permissions to use Amazon Directory Service Data. For more information, see [Amazon Directory Service API permissions: Actions, resources, and conditions reference](UsingWithDS_IAM_ResourcePermissions.md). To get started granting permissions to your users and workloads, you can use Amazon managed policies like [Amazon managed policy: AWSDirectoryServiceDataFullAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataFullAccess) or [Amazon managed policy: AWSDirectoryServiceDataReadOnlyAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataReadOnlyAccess). For more information, see [Security best practices in IAM](https://docs.amazonaws.cn//IAM/latest/UserGuide/best-practices.html#bp-use-aws-defined-policies). + [Creating an Amazon Managed Microsoft AD user](ms_ad_create_user.md). ------ #### [ Amazon Web Services Management Console ] You can disable an Amazon Managed Microsoft AD user account in the Amazon Web Services Management Console. **To disable an Amazon Managed Microsoft AD user account with the Amazon Web Services Management Console** 1. Open the Amazon Directory Service console at [https://console.amazonaws.cn/directoryservicev2/](https://console.amazonaws.cn/directoryservicev2/). 1. From the navigation pane, choose **Active Directory**, and then choose **Directories**. You're directed to the **Directories** screen where you can view a list of directories in your Amazon Web Services Region. 1. Choose a directory. You're directed to the **Directory details** screen. 1. Choose **Users**. The tab shows a list of users in your directory. 1. Choose the user whose account you want to disable. You're directed to the **User details** screen. 1. Choose **Actions**. Then choose **Disable user account** and **Disable user account** again. **Note** To re-enable your user's account, you must reset the user's password. For more information, see [Resetting and enabling an Amazon Managed Microsoft AD user's password](ms_ad_reset_user_pswd.md). ------ #### [ Amazon CLI ] The following describes how to format a request that disables an Amazon Managed Microsoft AD user account with the Amazon Directory Service Data CLI. **To disable an Amazon Managed Microsoft AD user account with the Amazon CLI** + Open the Amazon CLI, and run the following command, replacing the Directory ID and username with your Amazon Managed Microsoft AD Directory ID and username: ``` aws ds-data disable-user --directory-id d-1234567890 --sam-account-name "jane.doe" ``` **Note** To re-enable your user account, you must reset the user's password. For more information, see [Resetting and enabling an Amazon Managed Microsoft AD user's password](ms_ad_reset_user_pswd.md). ------ #### [ Amazon Tools for PowerShell ] The following describes how to format a request that disables an Amazon Managed Microsoft AD user account with Amazon Tools for PowerShell. **To disable an Amazon Managed Microsoft AD user account with Amazon Tools for PowerShell** + Open PowerShell;, and run the following command, replacing the Directory ID and username with your Amazon Managed Microsoft AD Directory ID and username: ``` Disable-DSDUser -DirectoryId d-1234567890 -SAMAccountName "jane.doe" ``` **Note** To re-enable your user account, you must reset the user's password. For more information, see [Resetting and enabling an Amazon Managed Microsoft AD user's password](ms_ad_reset_user_pswd.md). ------