Using the dsquery user and dsget user command, we can find disabled user accounts in the active directory.
dsquery user command has a disabled parameter that searches for the user who has disabled accounts in the directory. A disabled account prevents the user from logging into the network.
In this tutorial, we will discuss how to use the dsquery user and dsget user commands to find disabled user accounts in the active directory.
Find disabled user accounts using the dsquery
dsquery user command with disabled parameter searches in the active directory for user accounts with disabled status.
It uses a limit parameter value of 0 to list all disabled user accounts using the dsquery command.
dsget user command is used to display the disabled user’s first name and last name.
ddsquery user -disabled -limit 0 | dsget user -fn -ln
The output of the above dsquery command to find disabled user accounts in the directory is:
In the above output, it can be seen that in the directory, the dsquery user command found 2 disabled user accounts.
We can export disabled user accounts in the active directory to a CSV file using the below command.
dsquery user -disabled -limit 0 | dsget user -fn -ln > C:\Temp\disabled_user.csv
In the above command, the dsquery user command uses a disabled parameter to search for disabled user accounts in the directory.
The dsget user command gets the first name and last name for the disabled accounts and exports it to the disabled_user.csv file.
Cool Tip: How to use the dsquery * command to get user last logon!
Conclusion
I hope the above article on how to find disabled user accounts using the dsquery command is helpful to you.
It’s a good security practice to check for disabled user accounts in the active directory frequently and clean up stale accounts in the active directory.
You can find more topics about PowerShell Active Directory commands and PowerShell basics on the ShellGeek