Find disabled Active Directory User accounts

There may be times you need to find or report on disabled Active Directory user accounts. It’s best practice to do regular maintenance on AD objects and remove disabled or inactive objects (after verifying they are no longer needed of course). In this post, I will walk through three methods for finding disabled user accounts.

Method 1: Find Common Queries

1. Open Active Directory Users and Computer

2. Click the find objects button

3. In the Find Common Queries window, select “Common Queries” from the Find drop down and “Entire Directory” from the In: drop down. Check the box “Disabled accounts”

Once you have selected the above settings and clicked “Find Now” you will have a list of all the disabled accounts. Easy, right?

Method 2: Saved Queries

The saved queries in Active Directory Users and Computers can be used to create simple and complex LDAP search filters.

1. Open Active Directory Users and Computers

2. Right click Saved Queries and select New Query

3. Give the query a name then click the Define Query button. I named my query Disabled Users.

4. On the Find Common Queries box click the Disable Accounts box and click ok.

5. The query string box should now be populated with the LDAP syntax. Click OK

6. Click on the Disabled Users query under Saved Queries. You should now see all the disabled accounts.

Now every time you open AD you will have this saved query so you can quickly find disabled accounts.

Method 3: Powershell

This last example uses PowerShell to return the disabled accounts. I will show you to different PowerShell commands that display the results a bit different.

1. Open PowerShell and run the command below

Search-ADAccount -AccountDisabled

This command returns not only the username but many other attributes. In most cases, you will just want the username.

2. Run the command below to return only the username of disabled accounts.

Get-ADUser -Filter {Enabled -eq $false} | FT samAccountName

Most organizations have a policy to leave accounts disabled for a period of time, such as 30 days. If you don’t have a procedure in place to go back and delete the account, your Active Directory will become a mess. This post has provided three methods that can be used to quickly find disabled accounts in Active Directory.

You might also like:
Find Users accounts with password set to never expire
Find a user’s last logon time

Recommended Tool: SolarWinds Server & Application Monitor (SAM)

This utility was designed to Monitor Active Directory and other critical applications. It will quickly spot domain controller issues, prevent replication failures, track failed logon attempts and much more.

What I like best about SAM is it’s easy to use dashboard and alerting features. It also has the ability to monitor virtual machines and storage.

Download Your Free Trial of SolarWinds Server & Application Monitor. 

Leave a Comment