How to Find Disabled Active Directory User Accounts

by Robert Allen

find disabled ad user accounts

In this guide, you will learn how to find disabled users in Active Directory using PowerShell and the AD Pro Toolkit.

Disabled user accounts can be enabled and used by hackers or disgruntled employees to gain access to the network. Knowing how to quickly find disabled user accounts can improve security and help to keep your domain organized.

PowerShell Get Disabled Users

In this example, I’ll use the get-aduser cmdlet to get all disabled users in Active Directory.

Step 1: Open PowerShell as Administrator.

Step 2: Copy and paste the command below to get all disabled users. 

Get-ADUser -Filter {Enabled -eq "False"}
powershell get disabled ad users

Step 3. To export the list of disabled users use this command. 

Get-ADUser -Filter {Enabled -eq "False"} | export-csv -path c:\temp\disabledusers.csv

Easily Find Disabled Users in Active Directory with AD Pro Toolkit

The AD Pro Toolkit includes an Active Directory Reporting Tool that makes it easy to find disable users.

Step 1: Click on User Reports -> Disabled Users and click Run. To find disabled users in a specific OU click the browse button.

get disabled users ad pro toolkit

Step 2. Click export.

export disabled users

The AD Pro Toolkit includes over 200 built in reports.

Download AD Pro Toolkit and try the disabled users report for free.

Active Directory Account Disabled Attribute

When a user account is disabled the userAccountControl attribute will change to 514. With PowerShell, you can filter on this attribute to find all disabled users. 

get-aduser -filter * -Properties UserAccountControl | where {$_.UserAccountControl -eq 514} | select name, UserAccountControl
attribute for disabled account

The problem with this option is that the UserAccountControl attribute can have different values. For example, if the account is disabled and is set to password never expires the UserAccountControl attribute will be 66050. So, running a search for 514 may not list all disabled user accounts in your domain.

With the AD Pro Toolkit you can list multiple user attributes and the account status. This makes it easy to list all disabled accounts and see the UserAccountControl attribute at the same time.

accountdisabled useraccountcontrol
Get userAccountControl attribute with AD Pro Toolkit showing disabled user accounts.

How to Check if a Single User Account is Disabled

Use this command to check the status of a single account. If the account is disabled it will display “False”. 

get-aduser -Identity Adam.Lawhorn | select Enabled

In this example, you can see the user account “Adam.Lawhorn” is disabled.

get disabled status single user

Get All Disabled Users with PowerShell

Use this command to get all disabled users in your domain. 

Get-ADUser -Filter {(Enabled -eq $False)}  -Properties Name, Enabled | select name, enabled
all disabled users powershell

How to Export Disabled Users from Active Directory

To export all disabled users to CSV use this command. 

Get-ADUser -Filter {(Enabled -eq $False)}  -Properties Name, Enabled | select name, enabled | export-csv -path c:\temp\alldisabledusers.csv

Find Disabled Users in OU

This command will get all disabled users from a specific OU. Change the SearchBase to the DN of the OU you want to search. 

Get-ADUser -Filter * -SearchBase "OU=Accounting,OU=ADPRO Users,DC=ad,DC=activedirectorypro,DC=com" -Property Enabled | Where {$_.Enabled -like "False"}
disabled users in an ou

Find All Disabled Users in AD with AD Pro Toolkit

1. Run Disabled Users Report

Click on User Reports and under Account Status click on Disabled Users.

Next, click the Run button to generate a report of all disabled users.

all disabled users with toolkit

In the screenshot above you can see the toolkit generated a list of all disabled users in Active Directory. You easily limit the report to an OU or group by clicking the browse button. You can also add and remove user properties by clicking the columns button.

2. Export Disabled Users to CSV

If you need to export the list of disabled users click the export button and choose from CSV, XLSX, or PDF.

export all disabled users

Example export of all disabled users.

disable users export sample report

As you can see the AD Pro Toolkit makes it very quick and easy to report on user accounts from Active Directory. You can download a free trial of the AD Pro Toolkit and test it in your domain.

How Long to Keep Disabled User Accounts?

When an Active Directory user account is disabled it stays in Active Directory until an administrator deletes it. Disabled accounts are typically kept for 30 to 90 days before they are deleted. This allows time for the manager or new person to get any files or emails they might need from the previous employee.

The time frame to keep disabled user accounts should be defined by your organization as employee accounts are used by other systems such as HR and payroll.

As an administrator of Active Directory, you should have a process of finding disabled and other inactive user accounts. These accounts should be disabled and then deleted depending on your organization’s policies.

I showed you two examples of how to find disabled user accounts in Active Directory. Most organizations have a policy to leave accounts disabled for a period of time, such as 30 days. If you don’t have a procedure in place to go back and delete the account, your Active Directory will become a mess. This is important to keep your AD environment secure and organized.

Related Articles

Recommended Tools

  • AD Cleanup Tool - Find stale and inactive user and computer accounts in Active Directory. Export, disable, move or delete the stale accounts to increase security.
  • AD User Creation Tool - Bulk import or update Active Directory user accounts. Add users to groups, import into OUs, set multiple attributes and more.
  • NTFS Permissions Tool - Scan and audit NTFS folder permissions. See which users and groups have access to what.
  • AD Reporting Tool - Over 200 reports on users, computers, groups, OUs and more. Customize reports or create your own reports with the report builder.

12 thoughts on “How to Find Disabled Active Directory User Accounts”

      • Hi Robert, this command just brings a few disabled accounts. Do you know why?
        If I do Find Common queries it brings me more than 800 accounts.
        thanks

        Reply

        • Are you sure the query is right? 800 seems like a lot of disabled accounts.

          Try this.
          Get-ADUser -Filter * -Property Enabled | Where {$_.Enabled -like “False”} | FT Name, Enabled -AutoSize

          Reply

  5. I am using version 10.0.17132.1 of Active Directory Users and Computers and am not seeing the options that you display above.

    When I open the find window I have two tabs: “Users, Contact and Groups” and “Advanced” – this window is titled “Find Users, Contacts and Groups” as opposed to “Find Common Queries” as you present above.

    Reply

Leave a Comment