How to Find Disabled Active Directory User Accounts

In this guide, you will learn how to find disabled users in Active Directory using PowerShell and by using a GUI tool.

Disabled user accounts can be enabled and used by hackers or disgruntled employees to gain access to the network. Knowing how to quickly find disabled user accounts can improve security and help to keep your domain organized.

Table of Contents:

• How Long to Keep Disabled User Accounts
• Method 1: Find Disabled Users in AD with GUI Tool
• Method 2: Find Disabled Users in AD With PowerShell

How Long to Keep Disabled User Accounts?

When an Active Directory user account is disabled it stays in Active Directory until an administrator deletes it. Disabled accounts are typically kept for 30 to 90 days before they are deleted. This allows time for the manager or new person to get any files or emails they might need from the previous employee.

The time frame to keep disabled user accounts should be defined by your organization as employee accounts are used by other systems such as HR and payroll.

As an administrator of Active Directory, you should have a process of finding disabled and other inactive user accounts. These accounts should be disabled and then deleted depending on your organization’s policies.

Method 1: Find Disabled Users in AD with GUI Tool

In this example, I’ll use the Active Directory Pro Toolkit to get a list of disabled user accounts.

1. Run Disabled Users Report

Click on Reports and under Account Status click on Disabled Users.

Next, click the run button to generate a report of all disabled users.

In the screenshot above you can see the toolkit generated a list of all disabled users in Active Directory. You easily limit the report to an OU or group by clicking the browse button. You can also add and remove user properties by clicking the columns button.

2. Export Report

If you need to export the report click the export button and choose from CSV, XLSX, or PDF.

As you can see the AD Pro Toolkit makes it very quick and easy to report on user accounts from Active Directory. You can download a free trial of the AD Pro Toolkit and test it in your domain.

Method 2: Find Disabled Users in AD using PowerShell

In this example, I’ll use Powershell to find disabled user accounts. I will show you two different PowerShell commands that display the results a bit differently.

Example 1. Get all disabled users with PowerShell

Get-ADUser -Filter {Enabled -eq "False"}

This command will list all disabled users from the entire domain. This command returns not only the username but many other attributes. In most cases, you will just want the username.

Example 2: Get All Disabled Users and filter properties

Get-ADUser -Filter {Enabled -eq "False"} | select name, enabled

In this example, we will filter the output to only display the user’s name and account status.

Example 3. Find disabled users in OU

Get-ADUser -Filter * -SearchBase "OU=Accounting,OU=ADPRO Users,DC=ad,DC=activedirectorypro,DC=com" -Property Enabled | Where {$_.Enabled -like "False"} 

This command will get all disabled users from a specific OU. Change the SearchBase to the DN of the OU you want to search.

A 3rd option to find all disabled users is by using the ADUC console. The ADUC console is lacking many features compared to PowerShell and the AD Pro Toolkit.

Open the ADUC console click the find objects button from the top bar then change the find options to “Common Queries. Now just select “Disabled accounts” and click find now.

You can see above this displays the disabled users but no additional user details are available, there is also no option to export the list of users.

Summary

I showed you two examples of how to find disabled user accounts in Active Directory. Most organizations have a policy to leave accounts disabled for a period of time, such as 30 days. If you don’t have a procedure in place to go back and delete the account, your Active Directory will become a mess. This is important to keep your AD environment secure and organized.