How to Find Disabled Active Directory User Accounts

In this guide, you will learn how to find disabled users in Active Directory using PowerShell and the AD Pro Toolkit.

Disabled user accounts can be enabled and used by hackers or disgruntled employees to gain access to the network. Knowing how to quickly find disabled user accounts can improve security and help to keep your domain organized.

PowerShell Get Disabled Users

In this example, I’ll use the get-aduser cmdlet to get all disabled users in Active Directory.

Step 1: Open PowerShell as Administrator.

Step 2: Copy and paste the command below to get all disabled users.

Get-ADUser -Filter {Enabled -eq "False"}

Step 3. To export the list of disabled users use this command.

Get-ADUser -Filter {Enabled -eq "False"} | export-csv -path c:\temp\disabledusers.csv

Easily Find Disabled Users in Active Directory with AD Pro Toolkit

The AD Pro Toolkit includes an Active Directory Reporting Tool that makes it easy to find disable users.

Step 1: Click on User Reports -> Disabled Users and click Run. To find disabled users in a specific OU click the browse button.

Step 2. Click export.

The AD Pro Toolkit includes over 200 built in reports.

Download AD Pro Toolkit and try the disabled users report for free.

Active Directory Account Disabled Attribute

When a user account is disabled the userAccountControl attribute will change to 514. With PowerShell, you can filter on this attribute to find all disabled users.

get-aduser -filter * -Properties UserAccountControl | where {$_.UserAccountControl -eq 514} | select name, UserAccountControl

The problem with this option is that the UserAccountControl attribute can have different values. For example, if the account is disabled and is set to password never expires the UserAccountControl attribute will be 66050. So, running a search for 514 may not list all disabled user accounts in your domain.

With the AD Pro Toolkit you can list multiple user attributes and the account status. This makes it easy to list all disabled accounts and see the UserAccountControl attribute at the same time.

How to Check if a Single User Account is Disabled

Use this command to check the status of a single account. If the account is disabled it will display “False”.

get-aduser -Identity Adam.Lawhorn | select Enabled

In this example, you can see the user account “Adam.Lawhorn” is disabled.

Get All Disabled Users with PowerShell

Use this command to get all disabled users in your domain.

Get-ADUser -Filter {(Enabled -eq $False)}  -Properties Name, Enabled | select name, enabled

How to Export Disabled Users from Active Directory

To export all disabled users to CSV use this command.

Get-ADUser -Filter {(Enabled -eq $False)}  -Properties Name, Enabled | select name, enabled | export-csv -path c:\temp\alldisabledusers.csv

Find Disabled Users in OU

This command will get all disabled users from a specific OU. Change the SearchBase to the DN of the OU you want to search.

Get-ADUser -Filter * -SearchBase "OU=Accounting,OU=ADPRO Users,DC=ad,DC=activedirectorypro,DC=com" -Property Enabled | Where {$_.Enabled -like "False"} 

Find All Disabled Users in AD with AD Pro Toolkit

1. Run Disabled Users Report

Click on User Reports and under Account Status click on Disabled Users.

Next, click the Run button to generate a report of all disabled users.

In the screenshot above you can see the toolkit generated a list of all disabled users in Active Directory. You easily limit the report to an OU or group by clicking the browse button. You can also add and remove user properties by clicking the columns button.

2. Export Disabled Users to CSV

If you need to export the list of disabled users click the export button and choose from CSV, XLSX, or PDF.

Example export of all disabled users.

As you can see the AD Pro Toolkit makes it very quick and easy to report on user accounts from Active Directory. You can download a free trial of the AD Pro Toolkit and test it in your domain.

How Long to Keep Disabled AD User Accounts?

The time frame to keep disabled user accounts should be defined by your organization as employee accounts are used by other systems such as HR and payroll. Below are some common practices for handling disabled accounts.

• Policy: Define a policy on how long disabled accounts should be kept before they are deleted. Common practice is to keep disabled accounts for 90-180 days before they are deleted.
• Move Disabled Accounts: Move disabled accounts into an organizational unit called Disabled. This makes it easy to see all the disabled accounts in your AD. It also helps to keep things organized.
• Permissions: When disabling accounts, it’s common practice to remove their group membership. If you do this make sure you backup the users group membership just in case the account needs to be restored.
• Review and Audit: Conduct a regular review (such as monthly) to ensure disabled accounts are getting removed based on your defined policy.
• Automate: Use automation tools such as the AD Cleanup Tool to automate the steps of finding disabled accounts, deleting, removing groups, clear attributes or creating reports. Automation tools can be set to run on a daily, weekly or monthly schedule.

I showed you two examples of how to find disabled user accounts in Active Directory. Most organizations have a policy to leave accounts disabled for a period of time, such as 90 days. If you don’t have a procedure in place to go back and delete the account, your Active Directory will become a mess. This is important to keep your AD environment secure and organized.

Related Articles

• Find accounts with password set to never expire
• How to get users password expiration date