Home » PowerShell » Delete Disabled AD Account Using PowerShell

Delete Disabled AD Account Using PowerShell

Active directory user Enabled property tells the user is enabled or disabled. If the Enabled property value is True, the ad user is active else ad user is disabled.

When we have a large set of active directory users configured, as an Admin we have to keep track of inactive or disabled accounts in the active directory. If the user account is disabled for more than X days, we need to delete the disabled ad account.

In this article, we will learn how to get a list of disabled users in the active directory using PowerShell and delete a disabled user account in the active directory using PowerShell.

PowerShell Get-ADUser cmdlet gets one or more users objects. These active directory user objects contain properties like name, samaccountname, and Enabled.

Check If Ad Account is Disabled

If you want to check if ad user account is disabled or enabled, use Enabled property of user object. Using Enabled property value either True or False, we get ad account status.

To check ad account status run the below command

 Get-ADUser -Filter * -Property Enabled | Where-Object {$_.Enabled -like "False"} | Select-Object SamAccountName

Above Get-ADUser Filter parameter get list of ad users and pass output to the second command.

The second command uses Where-Object to check ad account status using Enabled property is equal to false to get disabled users only. It passes the output to the third command.

The third command use Select-Object to get the SamAccountName of disabled users in active directory.

The output of above disabled users as below

SamAccountName
--------------
Guest
krbtgt
RahulS

Cool Tip: How to Disable active directory user account in PowerShell!

Delete Disabled AD Account

In the above example, we get a list of disabled users in the active directory.

If you want to delete a disabled ad account, you need to use the Remove-ADUser PowerShell cmdlet to remove disabled ad user, run below command to delete disabled ad account

$disabledUsers = Get-ADUser -Filter * -Property Enabled | Where-Object {$_.Enabled -like "False"} | Select-Object SamAccountName

 ForEach ($user in $disabledUsers)
 {
    Write-Host "Deleting User account" $user
    Remove-ADUser -Identity $user.SamAccountName
 }

In the above PowerShell script,

$disabledUsers – variable contains a list of disabled user accounts. We got these disabled accounts using Get-ADUser to get all ad user and check for Enabled property value equal to false.

Using foreach, we iterate $disabledUsers to remove ad user using Remove-ADUser cmdlet.

PowerShell Remove-ADUser command deletes ad user specified by SamAccountName using the Identity parameter.

It will prompt confirmation to delete ad account. Click Yes/Yes to All if you want to delete all disabled users in Active Directory.

Delete Disabled Ad Account Confirmation
Delete Disabled Ad Account Confirmation

Conclusion

I hope the above article helps you to check if ad account is disabled. Use the Remove-ADUser cmdlet to delete the disabled ad account.

It is always a best practice to find inactive users in the active directory and make them disabled before deleting the user account.

Using the Get-ADUser cmdlet and Enabled property, you can check ad user account status, and using Remove-ADUser cmdlet, it deletes ad user from the active directory.

You can get ad users last logon date time to find when the last time user logged on and if it is more than X days, marked the account as disabled and export a list of disabled users to a CSV file.

You can find more topics about PowerShell Active Directory commands and PowerShell basics on the ShellGeek home page.