Managing user accounts in Active Directory involves various tasks, including enabling, disabling, and monitoring user activity. Retrieving a list of disabled users is crucial for security, auditing, or cleaning up inactive accounts. In this blog post, I’ll guide you through the process of using PowerShell to easily obtain this list.
Prerequisites
Before we begin, make sure you have the following prerequisites in place:
- A Windows computer with PowerShell installed. This can be a domain controller running Windows Server or an admin workstation with a Windows client operating system where PowerShell is typically available.
- Administrative access to an Active Directory domain.
Procedure
- Open PowerShell with administrative privileges.
- To use Active Directory cmdlets, import the Active Directory module using this command:
Import-ActiveDirectory
- Now, you can use the
Get-ADUser
cmdlet to retrieve a list of disabled users by running the following command:
Get-ADUser -Filter {Enabled -eq $false} -Properties * | Select-Object Name, GivenName, Surname, SamAccountName, UserPrincipalName, DistinguishedName, LastLogonDate
This command filters the users based on the Enabled
property, which indicates whether the user account is enabled or disabled. By specifying $false
, we retrieve only the disabled users. Additionally, all Properties
are queried by using an asterisk (*
).
The command will display a list of disabled user accounts in Active Directory. The list includes information such as the Name, GivenName, Surname, SamAccountName, UserPrincipalName, DistinguishedName, and LastLogonDate attributes. In my case, Test User 3 and Test User 5 are the disabled accounts.
![](https://cloudmonk.blog/wp-content/uploads/2023/10/image.png)
- To save the list of disabled users for analysis or reporting, export it to a CSV file using the
Export-Csv
cmdlet. Run the following command:
Get-ADUser -Filter {Enabled -eq $false} -Properties * | Select-Object Name, GivenName, Surname, SamAccountName, UserPrincipalName, DistinguishedName, LastLogonDate | Export-Csv -Path "C:\DisabledUsers.csv" -NoTypeInformation
Replace “C:\DisabledUsers.csv
” with the desired path and filename for the CSV file.
- You can also use the
Search-ADAccount
cmdlet to list disabled users. This can be done by using the-AccountDisabled
parameter to search for disabled accounts, and the-UserOnly
parameter to search only for users.
Search-ADAccount –AccountDisabled –UsersOnly | Select-Object SamAccountName, DistinguishedName
![](https://cloudmonk.blog/wp-content/uploads/2023/10/image-1.png)
That’s it! You have successfully retrieved a list of disabled users in Active Directory using PowerShell. This information can be valuable for enhancing security, performing audits, or managing inactive accounts effectively.
YouTube Video
Hi! I wanted to share my YouTube video on this topic with you. It would be great if you could take a moment to watch it, give it a thumbs up, share it with others, and maybe even consider subscribing to my YouTube channel. I really appreciate your support!