Use the Get-AdUser cmdlet in PowerShell to get the disabled users in the active directory. It has an Enabled property to check if the aduser status is enabled or disabled in OU or the entire active directory.
It’s the best security practice to routinely check active directory users’ status if they are stale, disabled, or in a suspended state. PowerShell script helps the administrator to quickly run the Get-AdUser cmdlet to check and find the disabled users in the OU and active directory.
In this article, I will explain how to find disabled users in active directory organization units using PowerShell.
When we create an active directory user, it has properties and attributes assigned to it. To get ad user all properties, run the below command
Get-ADUser -identity Toms -properties *
In the above script, the Get-Aduser command retrieves the username properties.
Ad User has Enabled property which has a value of either True or False. If the user Enabled property is set to True, it means the user is active. Ad User is disabled if the Enabled property is False.
Let’s understand with an example to find disabled users in OU and how to get the list of disabled users in ad PowerShell using the Get-AdUser Enabled property.
Find Disabled Users in OU
If you want to get disabled users in OU, run the below command
Get-ADUser -Filter * -SearchBase "OU=HR,DC=SHELLPRO,DC=LOCAL" -Property Enabled | Where {$_.Enabled -like "False"} | FT Name, Enabled -AutoSize
In the above PowerShell script, Get-ADUser Filter disabled users using the wildcard character (*) to get all the users in the active directory, and using the SearchBase parameter, it filters to get user in specific OU and pass output to the second command.
The second command uses the Where condition to check Enabled property value equal to False to get disabled users in OU and pass output to the third command.
The third command displays the Name and Enabled of disabled users in OU.
it will retrieve all disabled users in OU who are having Enabled property False.
The output of the above script to get disabled users is below
Name Enabled
---- -------
Rahul Seth FalseCool Tip: How to get ad users not logged in x days in PowerShell!
Get Disabled Users in Active Directory
If you want to get disabled users in Active Directory for an entire domain, run the below domain
Get-ADUser -Filter * -Property Enabled | Where {$_.Enabled -like "False"} | FT Name, Enabled -Autosize
In the above script, the Get-ADUser filter disabled users using its Enabled property and passes the output to the second command.
The second command checks the user Enabled property equal to False to get all disabled users in Active Directory.
Cool Tip: How to get-aduser the password expiration date in PowerShell!
Get all AdUser Enabled or Disabled Status
You can get a list of all aduser account enabled status as either True or False using the below command
Get-ADUser -Filter * -Property Enabled | FT Name, Enabled -Autosize
The above PowerShell script lists all active directory account names and Enabled status and if the aduser is not disabled or disabled.
Cool Tip: How to get the aduser disabled date in PowerShell!
Conclusion
I hope the above article on finding disabled users in OU is helpful to you.
Using PowerShell Get-ADUser Filter parameter to check Enabled property value either True or False to get ad users disabled status.
If the ad user account is disabled for more than X days, export the list of disabled users to a CSV file and delete the disabled ad account.
You can find more topics about PowerShell Active Directory commands and PowerShell basics on the ShellGeek home page.