PowerTip: Use PowerShell to Find Disabled User Accounts


Summary: Use Windows PowerShell to easily find disabled user accounts in Active Directory.

Hey, Scripting Guy! Question How can I use Windows PowerShell to find disabled user accounts in Active Directory?

Hey, Scripting Guy! Answer Use the Search-ADAccount cmdlet from the Active Directory module:

Search-ADAccount -AccountDisabled

 

Comments (15)

  1. mredwilson says:

    @Khalid Alghamdi yes that works. Great suggestion.

    @Steve yes this would also give disabled computer accounts. @Khalid has a great suggestion to filter out only users.

  2. and this is another way

    Get-ADUser -Filter (enabled -ne $true)

  3. madding report says:

    one way too fool everyone eh Khalid!!

  4. Steve says:

    This gives disabled computer accounts too.

  5. Hein de Vries says:

    @Khalid: thanks for the tip. Now I can use "-properties homedirectory" to get a list of disabled users and their homedirectory

  6. Citizens of Elbonia says:

    So… what module(s) needs to be imported for either get-aduser or search-adaccount to work?

  7. Citizens of Elbonia says:

    ah, so I am dumb:

    import-module activedirectory

    …answering my own stupid questions

  8. felipe says:

    Really Useful. thanks.

  9. muhammad says:

    @Steve you can also use: Search-ADAccount -AccountDisabled -usersonly

  10. Matty Ice says:

    Get-ADUser -Filter {enabled -eq "false" -and objectclass -eq "user"}

  11. Oops says:

    Search-ADAccount -AccountDisabled -UsersOnly

  12. Luiz Angelo Heinzen says:

    I’m running the tool and it’s not showing all the locked accounts in my Domain. When I use the LockoutStatus tools, it show userxyz is locked. If I run the suggested command, it DOES NOT list userxyz.

    To be honest, "Get-ADUser -Identity tinpj -Properties *" shows "lockedOut = False" for the user.

    Any ideas?

  13. @Luiz Angelo Heinzen – you have to check all domain controllers to see where the account is locked out – see

    http://blogs.technet.com/b/heyscriptingguy/archive/2012/12/27/use-powershell-to-find-the-location-of-a-locked-out-user.aspx

  14. jeremy says:

    how do you change this to only display disabled accounts in the last X days ?

  15. Craig.B says:

    @Jeremy: I don’t think you can do that directly.

    This will use the last logon date of the users to give some reference.
    Search-ADAccount -AccountDisabled -UsersOnly | Sort-Object lastlogondate

    Or using Get-ADUser can show many properties, modified shows the timestamp of any changes
    Get-ADUser -Filter {enabled -eq "false" -and objectclass -eq "user"} -properties modified | sort-object modified

Skip to main content