In this guide, you will learn how to disable Active Directory user accounts.
First I will show you how to disable single and multiple user accounts using Active Directory users and computers console. Then I will show you how to disable user accounts by using PowerShell for a single account and multiple accounts from a text file.
Example 1: Disable users using Active Directory Users and Computers
Using the ADUC console you can easily select one or more user accounts to disable.
To disable a single account just browse to the organizational unit, right-click on the account then select disable account.
To disable multiple accounts just hold down the ctrl key and select multiple accounts then right-click and select disable account. In this example I just randomly selected multiple accounts from the Accounting OU.
As you can see it is very easy to disable user accounts using the ADUC console. This method works well if you have a few accounts that are in the same OU. If you have a big list of accounts that are in various OUs then you will want to use PowerShell.
Example 2: Disable AD users using PowerShell
In this example, I will show you how to use the PowerShell cmdlet “Disable-ADAccount” to disable single and multiple user accounts.
You can identify accounts to disable with one of the following identities.
- A distinguished name
- A GUID (objectGUID)
- A Security Identifier (objectSid)
- A SAM Account Name (SAMAccountName)
I like to use the SAMAccountName to identify accounts as this is typically the user’s login name.
In this first example, I will disable the user Abel.Austin with the following command:
Disable-ADAccount -Identity Abel.Austin
That is all there is to it. Now I will use Get-ADuser to confirm that the account was disabled.
Get-ADUser Abel.Austin |select name,enabled
Yes, I can see from the command output that the account is now enabled. To disable multiple user accounts using PowerShell see example 3.
Example 3: Disable multiple AD user accounts from a text file
You can easily disable multiple user accounts from a text file with the script below.
Step 1: Create a text file with the list of user names
Here is a screenshot of my text file. Save the text file to the computer that will be running the script.
Step 2: Copy and run the script in PowerShell
Warning: This will disable all of the accounts you have listed in the text file.
If you saved the text file to a different location than c:\it\users.txt you will need to update the script.
When you are ready, copy the script below into PowerShell ISE and click run.
ForEach ($user in $users)
Disable-ADAccount -Identity $user
write-host "user $($user) has been disabled"
Here is a screenshot of this running in my lab.
If you want to display all disabled user account then check out my guide titled Find disabled Active Directory User accounts
I also created a GUI tool called the AD cleanup tool that makes it very easy to display all disabled users as well as expired users and users that have never logged on.
If you have questions or comments please post them in the comment section below.
Recommended Tool: SolarWinds Server & Application Monitor
This utility was designed to Monitor Active Directory and other critical services like DNS & DHCP. It will quickly spot domain controller issues, prevent replication failures, track failed logon attempts and much more.
What I like best about SAM is it’s easy to use dashboard and alerting features. It also has the ability to monitor virtual machines and storage.