Active directory user Enabled property tells the user is enabled or disabled. If the Enabled property value is True, the ad user is active else ad user is disabled.
When we have a large set of active directory users configured, as an Admin we have to keep track of inactive or disabled accounts in the active directory. If the user account is disabled for more than X days, we need to delete the disabled ad account.
In this article, we will learn how to get a list of disabled users in the active directory using PowerShell and delete a disabled user account in the active directory using PowerShell.
PowerShell Get-ADUser cmdlet gets one or more users objects. These active directory user objects contain properties like name, samaccountname, and Enabled.
Check If Ad Account is Disabled
If you want to check if ad user account is disabled or enabled, use Enabled
property of user object. Using Enabled property value either True or False, we get ad account status.
To check ad account status run the below command
Get-ADUser -Filter * -Property Enabled | Where-Object {$_.Enabled -like "False"} | Select-Object SamAccountName
Above Get-ADUser Filter parameter get list of ad users and pass output to the second command.
The second command uses Where-Object to check ad account status using Enabled property is equal to false to get disabled users only. It passes the output to the third command.
The third command use Select-Object
to get the SamAccountName of disabled users in active directory.
The output of above disabled users as below
SamAccountName
--------------
Guest
krbtgt
RahulS
Cool Tip: How to Disable active directory user account in PowerShell!
Delete Disabled AD Account
In the above example, we get a list of disabled users in the active directory.
If you want to delete a disabled ad account, you need to use the Remove-ADUser PowerShell cmdlet to remove disabled ad user, run below command to delete disabled ad account
$disabledUsers = Get-ADUser -Filter * -Property Enabled | Where-Object {$_.Enabled -like "False"} | Select-Object SamAccountName ForEach ($user in $disabledUsers) { Write-Host "Deleting User account" $user Remove-ADUser -Identity $user.SamAccountName }
In the above PowerShell script,
$disabledUsers – variable contains a list of disabled user accounts. We got these disabled accounts using Get-ADUser to get all ad user and check for Enabled property value equal to false.
Using foreach, we iterate $disabledUsers
to remove ad user using Remove-ADUser cmdlet.
PowerShell Remove-ADUser command deletes ad user specified by SamAccountName using the Identity parameter.
It will prompt confirmation to delete ad account. Click Yes/Yes to All if you want to delete all disabled users in Active Directory.
Conclusion
I hope the above article helps you to check if ad account is disabled. Use the Remove-ADUser cmdlet to delete the disabled ad account.
It is always a best practice to find inactive users in the active directory and make them disabled before deleting the user account.
Using the Get-ADUser cmdlet and Enabled property, you can check ad user account status, and using Remove-ADUser cmdlet, it deletes ad user from the active directory.
You can get ad users last logon date time to find when the last time user logged on and if it is more than X days, marked the account as disabled and export a list of disabled users to a CSV file.
You can find more topics about PowerShell Active Directory commands and PowerShell basics on the ShellGeek home page.