Home » PowerShell » Find Disabled Users in OU Using PowerShell

Find Disabled Users in OU Using PowerShell

PowerShell Get-ADUser cmdlet used to get one or more active directory user information like name, samaccountname, lastlogon, enabled status, and so on. When we have a large number of active directory users, it’s very important to find disabled users in OU or in the entire domain.

In this article, I will explain how to find disabled users in active directory organization units using PowerShell.

When we create an active directory user, it has properties and attributes assigned to it. To get ad user all properties, run the below command

Get-ADUser -identity Toms -properties *

Above Get-Aduser command return Toms username properties.

Ad User has Enable property which has a value of either True or False. If the user Enabled property is set to True, it means the user is active. Ad User is disabled if the Enabled property is False.

Get-ADUser - Enabled Property
Get-ADUser – Enabled Property

Let’s understand with example to find disabled users in OU using user Enabled property as below

Find Disabled Users in OU

If you want to get disabled users in OU, run the below command

Get-ADUser -Filter * -SearchBase "OU=HR,DC=SHELLPRO,DC=LOCAL" -Property Enabled | Where {$_.Enabled -like "False"} | FT Name, Enabled -AutoSize

In the above PowerShell script, Get-ADUser Filter disabled users using the wildcard character (*) to get all the users in the active directory, and using the SearchBase parameter, it filters to get user in specific OU and pass output to the second command.

The second command uses the Where condition to check Enabled property value equal to False to get disabled users in OU and pass output to the third command.

The third command displays the Name and Enabled of disabled users in OU.

it will retrieve all disabled users in OU who is having Enabled property False.

The output of the above script to get disabled users as below

Name       Enabled
----       -------
Rahul Seth   False

Cool Tip: How to get ad user not logged in x days in PowerShell!

Get Disabled Users in Active Directory

If you want to get disabled users in Active Directory for an entire domain, run below domain

 Get-ADUser -Filter * -Property Enabled | Where {$_.Enabled -like "False"} | FT Name, Enabled -Autosize

In the above script, the Get-ADUser filter disabled users using the Enabled property and pass output to the second command.

The second command checks user Enabled property equal to False to get all disabled users in Active Directory.

Cool Tip: How to get-aduser password expiration date in PowerShell!

Get all AdUser Enabled or Disbaled Status

You can get a list of all aduser account enabled status as either True or False using the below command

Get-ADUser -Filter * -Property Enabled | FT Name, Enabled -Autosize

In the above PowerShell script, it lists all active directory accounts names and Enabled status and if the aduser not disabled or disabled.

Conclusion

I hope the above article to find disabled users in OU is helpful to you.

Using PowerShell Get-ADUser Filter parameter to check Enabled property value either True or False to get ad users disabled status.

If the ad user account is disabled for more than X days, export list of disabled users to a CSV file and delete disabled ad account.

You can find more topics about PowerShell Active Directory commands and PowerShell basics on the ShellGeek home page.

Leave a Comment