The Disable-ADAccount cmdlet in PowerShell is used to disable ad user, computer, or service account in Active Directory. As an administrator, for security reasons, you may want to disable accounts of users who have left the organization or employees whose employment has been terminated for some reason.
Disable-ADAccount cmdlet disables ad user by SAMAccountName, Disable an Account by Distinguished Name or disable all accounts in an organizational unit.
In this blog post, we will discuss how to disable ad user account using the Disable-AdAccount cmdlet.
Disable-ADAccount Syntax
Disable-AdAccount cmdlet disables active directory account.
Syntax:
Disable-ADAccount [-WhatIf] [-Confirm] [-AuthType <ADAuthType>] [-Credential <PSCredential>] [-Identity] <ADAccount> [-Partition <String>] [-PassThru] [-Server <String>] [<CommonParameters>]
Parameters:
Identity: parameter specifies the active directory user, computer, or service account which you want to disable. You can use SAMAccountName, Distinguished Name, GUID, or Security Identifier to identify ad account.
Disable Ad User Account using SAMAccountName
Use Disable-ADAccount cmdlet in PowerShell to disable the active directory user account. Run below command
Disable-ADAccount -Identity Tira.Elsa
In the above PowerShell script,
Disable-ADAccount disables active directory user with SAMAccountName Tira.Elsa.
Cool Tip: How to export a list of disabled users from the active directory!
Disable Ad User Account using Distinguished Name
You can disable ad user account using a Distinguished Name in the Disable-AdAccount command as given below
Disable-ADAccount -Identity "CN=Peter Colin,OU=HR,DC=SHELLPRO,DC=LOCAL"
In the above PowerShell script,
Disable-ADAccount command disables active directory user identified by distinguished name.
Cool Tip: How to find disabled active directory users accounts in PowerShell!
Disable Active Directory User in Specific Organizational Unit
You can use Disable-ADAccount cmdlet to disable ad user in specific OU using the below command
Get-ADUser -Filter 'Name -like "*"' -SearchBase "OU=HR,DC=SHELLPRO,DC=LOCAL" | Disable-ADAccount
In the above PowerShell script,
Get-ADUser cmdlet gets active directory users using Searchbase parameter from specific OU and passes active directory user objects to next command.
In the second command, it uses Disable-AdAccount to disable all ad users in specific OU.
Cool Tip: How to move ad user account using Move-AdObject in PowerShell!
Conclusion
In the above article, we have learned, how to disable ad user using PowerShell.
You can use the Get-AdUser cmdlet to get active directory user object and pass it Disable-AdAccount to disable active directory user.
You should disable a user’s account if they are no longer an employee. It is the best way to ensure data security and compliance with company policy.
You can find more topics about PowerShell Active Directory commands and PowerShell basics on the ShellGeek home page.