PowerTip: Use PowerShell to Find Disabled User Accounts in AD DS

Summary: Easily find disabled user accounts in Active Directory Domain Services (AD DS) by using Windows PowerShell.

Hey, Scripting Guy! Question How can I easily use Windows PowerShell to find disabled user accounts?

Hey, Scripting Guy! Answer Use the Search-ADAccount cmdlet from the Active Directory module in the RSAT tools, and specify the AccountDisabled and UsersOnly switches:

Search-ADAccount -AccountDisabled -UsersOnly

Comments (4)

  1. David Wyatt says:

    You can also use this command:

    Get-ADUser -Filter 'Enabled -eq $false'

    The main difference is that Get-ADUser returns ADUser objects (and you can specifiy which properties to fetch via the -Properties parameter), whereas Search-ADAccount returns ADAccount objects with a fixed set of properties (AccountExpirationDate, DistinguishedName, Enabled, LastLogonDate, LockedOut, Name, ObjectClass, ObjectGUID, PasswordExpired, PasswordNeverExpires, SamAccountName, SID, and UserPrincipalName.)

  2. AllenRich says:

    Very useful, thanks for sharing this PowerShell to find unused computer accounts in active directory. I found an efficient application (http://www.lepide.com/active-directory-cleaner/). This
    utility helps to find out stale or inactive computer accounts that have not logged for 90 days. It generates report which are based on inactive or old computer accounts, never logged on users details of accounts in HTML, CSV and PDF format. It helps to manage
    inactive accounts and move them to another OU.

  3. joseph says:

    Free active directory reporting available here, http://adsysnet.com/

  4. Mahesh Adate says:

    Some low cost ad management tools available for finding inactive/disabled users in ad.