PowerTip: Use PowerShell to Find Disabled User Accounts in AD DS

PowerTip: Use PowerShell to Find Disabled User Accounts in AD DS

  • Comments 4
  • Likes

Summary: Easily find disabled user accounts in Active Directory Domain Services (AD DS) by using Windows PowerShell.

Hey, Scripting Guy! Question How can I easily use Windows PowerShell to find disabled user accounts?

Hey, Scripting Guy! Answer Use the Search-ADAccount cmdlet from the Active Directory module in the RSAT tools, and specify the AccountDisabled and UsersOnly switches:

Search-ADAccount -AccountDisabled -UsersOnly

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • You can also use this command:

    Get-ADUser -Filter 'Enabled -eq $false'

    The main difference is that Get-ADUser returns ADUser objects (and you can specifiy which properties to fetch via the -Properties parameter), whereas Search-ADAccount returns ADAccount objects with a fixed set of properties (AccountExpirationDate, DistinguishedName, Enabled, LastLogonDate, LockedOut, Name, ObjectClass, ObjectGUID, PasswordExpired, PasswordNeverExpires, SamAccountName, SID, and UserPrincipalName.)

  • Free active directory reporting available here, http://adsysnet.com/

  • Some low cost ad management tools available for finding inactive/disabled users in ad.

    http://adsysnet.com/downloads.aspx

  • Very useful, thanks for sharing this PowerShell to find unused computer accounts in active directory. I found an efficient application (http://www.lepide.com/active-directory-cleaner/). This utility helps to find out stale or inactive computer accounts that have not logged for 90 days. It generates report which are based on inactive or old computer accounts, never logged on users details of accounts in HTML, CSV and PDF format. It helps to manage inactive accounts and move them to another OU.