How to Find Disabled Active Directory User Accounts

In this guide, you will learn how to find disabled users in Active Directory using PowerShell and by using a GUI tool.

Disabled user accounts can be enabled and used by hackers or disgruntled employees to gain access to the network. Knowing how to quickly find disabled user accounts can improve security and help to keep your domain organized.

Table of Contents:

How Long to Keep Disabled User Accounts?

When an Active Directory user account is disabled it stays in Active Directory until an administrator deletes it. Disabled accounts are typically kept for 30 to 90 days before they are deleted. This allows time for the manager or new person to get any files or emails they might need from the previous employee.

The time frame to keep disabled user accounts should be defined by your organization as employee accounts are used by other systems such as HR and payroll.

As an administrator of Active Directory, you should have a process of finding disabled and other inactive user accounts. These accounts should be disabled and then deleted depending on your organization’s policies.

Method 1: Find Disabled Users in AD with GUI Tool

In this example, I’ll use the Active Directory Pro Toolkit to get a list of disabled user accounts.

1. Run Disabled Users Report

Click on Reports and under Account Status click on Disabled Users.

Next, click the run button to generate a report of all disabled users.

List of all disabled users in Active Directory

In the screenshot above you can see the toolkit generated a list of all disabled users in Active Directory. You easily limit the report to an OU or group by clicking the browse button. You can also add and remove user properties by clicking the columns button.

2. Export Report

If you need to export the report click the export button and choose from CSV, XLSX, or PDF.

Export the report example
PDF sample report of all disabled users

As you can see the AD Pro Toolkit makes it very quick and easy to report on user accounts from Active Directory. You can download a free trial of the AD Pro Toolkit and test it in your domain.

Method 2: Find Disabled Users in AD using PowerShell

In this example, I’ll use Powershell to find disabled user accounts. I will show you two different PowerShell commands that display the results a bit differently.

Example 1. Get all disabled users with PowerShell

Get-ADUser -Filter {Enabled -eq "False"}

This command will list all disabled users from the entire domain. This command returns not only the username but many other attributes. In most cases, you will just want the username.

powershell list disabled user accounts

Example 2: Get All Disabled Users and filter properties

Get-ADUser -Filter {Enabled -eq "False"} | select name, enabled

In this example, we will filter the output to only display the user’s name and account status.

Example 3. Find disabled users in OU

Get-ADUser -Filter * -SearchBase "OU=Accounting,OU=ADPRO Users,DC=ad,DC=activedirectorypro,DC=com" -Property Enabled | Where {$_.Enabled -like "False"} 

This command will get all disabled users from a specific OU. Change the SearchBase to the DN of the OU you want to search.

A 3rd option to find all disabled users is by using the ADUC console. The ADUC console is lacking many features compared to PowerShell and the AD Pro Toolkit.

Open the ADUC console click the find objects button from the top bar then change the find options to “Common Queries. Now just select “Disabled accounts” and click find now.

Find disabled users with ADUC console

You can see above this displays the disabled users but no additional user details are available, there is also no option to export the list of users.

Summary

I showed you two examples of how to find disabled user accounts in Active Directory. Most organizations have a policy to leave accounts disabled for a period of time, such as 30 days. If you don’t have a procedure in place to go back and delete the account, your Active Directory will become a mess. This is important to keep your AD environment secure and organized.

Recommended Tool: Permissions Analyzer for Active Directory

Get instant visibility into user and group permissions in your Active Directory domain.

With Permissions Analyzer you can quickly view assigned and inherited permissions for any user or group.

Don’t let permission problems slow you down or put your data at risk. Get Permissions Analyzer for Active Directory today and take control of your permission management.

Download Free Tool

8 thoughts on “How to Find Disabled Active Directory User Accounts”

  1. I am using version 10.0.17132.1 of Active Directory Users and Computers and am not seeing the options that you display above.

    When I open the find window I have two tabs: “Users, Contact and Groups” and “Advanced” – this window is titled “Find Users, Contacts and Groups” as opposed to “Find Common Queries” as you present above.

    Reply
    • Avatar photo

      First select Find Common queries from the find drop down box.

      Reply
  2. How to export those user list

    Reply
    • Avatar photo

      Hi Krishnan,

      Get-ADUser -Filter {Enabled -eq $false} | FT samAccountName | export-csv -path c:\csvpath.csv

      Reply
  3. Vary useful. Many tnx.

    Reply
    • How to get those reports with disabled user date..
      Thanks

      Reply
  4. This command can have errors

    Reply
    • Avatar photo

      Hi, which command gave errors?

      Reply

Leave a Comment