Find disabled Active Directory User accounts

There may be times you need to find or report on disabled Active Directory user accounts. It’s best practice to do regular maintenance on AD objects and remove disabled or inactive objects (after verifying they are no longer needed of course).

In this post, I will walk through two methods for finding disabled user accounts.

Method 1: Using AD Cleanup Tool

1. Open Tool

2. Click on filters

Change the Filter to “Show Users” and Show “Disable Users”

3. Click Run

You will now have a report of all disabled accounts in your domain.

You can also limit the report to an OU or group.

In addition to finding disabled users, this tool can quickly find disabled computers, expired users, users with no logon history, and empty groups.

Download Your Copy Here

Method 2: Find Disabled Users with PowerShell

This last example uses PowerShell to return the disabled accounts. I will show you two different PowerShell commands that display the results a bit differently.

1. Open PowerShell and run the command below

Search-ADAccount -AccountDisabled

This command returns not only the username but many other attributes. In most cases, you will just want the username.

2. Run the command below to return only the username of disabled accounts.

Get-ADUser -Filter {Enabled -eq $false} | FT samAccountName

Most organizations have a policy to leave accounts disabled for a period of time, such as 30 days. If you don’t have a procedure in place to go back and delete the account, your Active Directory will become a mess. This post has provided three methods that can be used to quickly find disabled accounts in Active Directory.

Recommended Tool: Permissions Analyzer for Active Directory

This FREE tool lets you get instant visibility into user and group permissions and allows you to quickly check user or group permissions for files, network, and folder shares.

You can analyze user permissions based on an individual user or group membership.

This is a Free tool, download your copy here.

8 thoughts on “Find disabled Active Directory User accounts”

  1. I am using version 10.0.17132.1 of Active Directory Users and Computers and am not seeing the options that you display above.

    When I open the find window I have two tabs: “Users, Contact and Groups” and “Advanced” – this window is titled “Find Users, Contacts and Groups” as opposed to “Find Common Queries” as you present above.

    Reply
    • First select Find Common queries from the find drop down box.

      Reply
  2. How to export those user list

    Reply
    • Hi Krishnan,

      Get-ADUser -Filter {Enabled -eq $false} | FT samAccountName | export-csv -path c:\csvpath.csv

      Reply
  3. Vary useful. Many tnx.

    Reply
    • How to get those reports with disabled user date..
      Thanks

      Reply
  4. This command can have errors

    Reply
    • Hi, which command gave errors?

      Reply

Leave a Comment