Find disabled Active Directory User accounts

There may be times you need to find or report on disabled Active Directory user accounts. It’s best practice to do regular maintenance on AD objects and remove disabled or inactive objects (after verifying they are no longer needed of course). In this post, I will walk through two methods for finding disabled user accounts.

Method 1: Using AD Cleanup Tool

1. Open Tool

2. Click on filters

Change the Filter to “Show Users” and Show “Disable Users”

3. Click Run

You will now have a report of all disabled accounts in your domain.

You can also limit the report to an OU or group.

In addition to finding disabled users, this tool can quickly find disabled computers, expired users, users with no logon history, and empty groups.

Download Your Copy Here

Method 2: Powershell

This last example uses PowerShell to return the disabled accounts. I will show you to different PowerShell commands that display the results a bit different.

1. Open PowerShell and run the command below

Search-ADAccount -AccountDisabled

This command returns not only the username but many other attributes. In most cases, you will just want the username.

2. Run the command below to return only the username of disabled accounts.

Get-ADUser -Filter {Enabled -eq $false} | FT samAccountName

Most organizations have a policy to leave accounts disabled for a period of time, such as 30 days. If you don’t have a procedure in place to go back and delete the account, your Active Directory will become a mess. This post has provided three methods that can be used to quickly find disabled accounts in Active Directory.

You might also like:
Find Users accounts with passwords set to never expire
Find a user’s last logon time

Recommended Tool: Permissions Analyzer for Active Directory

This FREE tool lets you get instant visibility into user and group permissions. Quickly check user or group permissions for files, network, and folder shares.

Analyze user permissions based on an individual user or group membership.

8 thoughts on “Find disabled Active Directory User accounts”

  1. I am using version 10.0.17132.1 of Active Directory Users and Computers and am not seeing the options that you display above.

    When I open the find window I have two tabs: “Users, Contact and Groups” and “Advanced” – this window is titled “Find Users, Contacts and Groups” as opposed to “Find Common Queries” as you present above.

    Reply

Leave a Comment