How to Find Disabled Active Directory User Accounts

In this guide, you will learn how to find disabled users in Active Directory using PowerShell and by using a GUI tool.

Disabled user accounts can be enabled and used by hackers or disgruntled employees to gain access to the network. Knowing how to quickly find disabled user accounts can improve security and help to keep your domain organized.

PowerShell Get Disabled Users

In this example, I’ll use the get-aduser cmdlet to get all disabled users in Active Directory.

Step 1: Open PowerShell as Administrator.

Step 2: Copy and paste the command below to get all disabled users.

Get-ADUser -Filter {Enabled -eq "False"}

Step 3. To export the list of disabled users use this command.

Get-ADUser -Filter {Enabled -eq "False"} | export-csv -path c:\temp\disabledusers.csv

Option #2 AD Reporting Tool

In this example, I’ll use the AD Pro Toolkit to find all disabled users in Active Directory.

Step 1: Click on User Reports -> Disabled Users and click Run. To find disabled users in a specific OU click the browse button.

Step 2. Click export.

The AD Pro Toolkit includes over 200 built in reports.

Active Directory Account Disabled Attribute

When a user account is disabled the userAccountControl attribute will change to 514. With PowerShell, you can filter on this attribute to find all disabled users.

get-aduser -filter * -Properties UserAccountControl | where {$_.UserAccountControl -eq 514} | select name, UserAccountControl

The problem with this option is that the UserAccountControl attribute can have different values. For example, if the account is disabled and is set to password never expires the UserAccountControl attribute will be 66050. So running a search for 514 may not list all disabled user accounts in your domain.

With the AD Pro Toolkit you can list multiple user attributes and the account status. This makes it easy to list all disabled accounts and see the UserAccountControl attribute at the same time.

How to Check if a Single User Account is Disabled

Use this command to check the status of a single account. If the account is disabled it will display “False”.

get-aduser -Identity Adam.Lawhorn | select Enabled

In this example, you can see the user account “Adam.Lawhorn” is disabled.

Get All Disabled Users with PowerShell

Use this command to get all disabled users in your domain.

Get-ADUser -Filter {(Enabled -eq $False)}  -Properties Name, Enabled | select name, enabled

How to Export Disabled Users from Active Directory

To export all disabled users to CSV use this command.

Get-ADUser -Filter {(Enabled -eq $False)}  -Properties Name, Enabled | select name, enabled | export-csv -path c:\temp\alldisabledusers.csv

Find Disabled Users in OU

This command will get all disabled users from a specific OU. Change the SearchBase to the DN of the OU you want to search.

Get-ADUser -Filter * -SearchBase "OU=Accounting,OU=ADPRO Users,DC=ad,DC=activedirectorypro,DC=com" -Property Enabled | Where {$_.Enabled -like "False"} 

Find Disabled Users in AD with GUI Tool

1. Run Disabled Users Report

Click on User Reports and under Account Status click on Disabled Users.

Next, click the Run button to generate a report of all disabled users.

In the screenshot above you can see the toolkit generated a list of all disabled users in Active Directory. You easily limit the report to an OU or group by clicking the browse button. You can also add and remove user properties by clicking the columns button.

2. Export Report

If you need to export the report click the export button and choose from CSV, XLSX, or PDF.

PDF Report of disabled users

As you can see the AD Pro Toolkit makes it very quick and easy to report on user accounts from Active Directory. You can download a free trial of the AD Pro Toolkit and test it in your domain.

How Long to Keep Disabled User Accounts?

When an Active Directory user account is disabled it stays in Active Directory until an administrator deletes it. Disabled accounts are typically kept for 30 to 90 days before they are deleted. This allows time for the manager or new person to get any files or emails they might need from the previous employee.

The time frame to keep disabled user accounts should be defined by your organization as employee accounts are used by other systems such as HR and payroll.

As an administrator of Active Directory, you should have a process of finding disabled and other inactive user accounts. These accounts should be disabled and then deleted depending on your organization’s policies.


I showed you two examples of how to find disabled user accounts in Active Directory. Most organizations have a policy to leave accounts disabled for a period of time, such as 30 days. If you don’t have a procedure in place to go back and delete the account, your Active Directory will become a mess. This is important to keep your AD environment secure and organized.

You Might Also Like

12 thoughts on “How to Find Disabled Active Directory User Accounts”

      • Hi Robert, this command just brings a few disabled accounts. Do you know why?
        If I do Find Common queries it brings me more than 800 accounts.

        • Are you sure the query is right? 800 seems like a lot of disabled accounts.

          Try this.
          Get-ADUser -Filter * -Property Enabled | Where {$_.Enabled -like “False”} | FT Name, Enabled -AutoSize

  1. I am using version 10.0.17132.1 of Active Directory Users and Computers and am not seeing the options that you display above.

    When I open the find window I have two tabs: “Users, Contact and Groups” and “Advanced” – this window is titled “Find Users, Contacts and Groups” as opposed to “Find Common Queries” as you present above.


Leave a Comment