PowerTip: Use PowerShell to Find Disabled User Accounts

PowerTip: Use PowerShell to Find Disabled User Accounts

  • Comments 15
  • Likes

Summary: Use Windows PowerShell to easily find disabled user accounts in Active Directory.

Hey, Scripting Guy! Question How can I use Windows PowerShell to find disabled user accounts in Active Directory?

Hey, Scripting Guy! Answer Use the Search-ADAccount cmdlet from the Active Directory module:

Search-ADAccount -AccountDisabled


Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • and this is another way

    Get-ADUser -Filter (enabled -ne $true)

  • one way too fool everyone eh Khalid!!

  • This gives disabled computer accounts too.

  • @Khalid Alghamdi yes that works. Great suggestion.

    @Steve yes this would also give disabled computer accounts. @Khalid has a great suggestion to filter out only users.

  • @Khalid: thanks for the tip. Now I can use "-properties homedirectory" to get a list of disabled users and their homedirectory

  • So... what module(s) needs to be imported for either get-aduser or search-adaccount to work?

  • ah, so I am dumb:

    import-module activedirectory

    ...answering my own stupid questions

  • Really Useful. thanks.

  • @Steve you can also use: Search-ADAccount -AccountDisabled -usersonly

  • Get-ADUser -Filter {enabled -eq "false" -and objectclass -eq "user"}

  • Search-ADAccount -AccountDisabled -UsersOnly

  • I'm running the tool and it's not showing all the locked accounts in my Domain. When I use the LockoutStatus tools, it show userxyz is locked. If I run the suggested command, it DOES NOT list userxyz.

    To be honest, "Get-ADUser -Identity tinpj -Properties *" shows "lockedOut = False" for the user.

    Any ideas?

  • @Luiz Angelo Heinzen - you have to check all domain controllers to see where the account is locked out - see http://blogs.technet.com/b/heyscriptingguy/archive/2012/12/27/use-powershell-to-find-the-location-of-a-locked-out-user.aspx

  • how do you change this to only display disabled accounts in the last X days ?

  • @Jeremy: I don't think you can do that directly.

    This will use the last logon date of the users to give some reference.
    Search-ADAccount -AccountDisabled -UsersOnly | Sort-Object lastlogondate

    Or using Get-ADUser can show many properties, modified shows the timestamp of any changes
    Get-ADUser -Filter {enabled -eq "false" -and objectclass -eq "user"} -properties modified | sort-object modified