Find disabled Active Directory User accounts

There may be times you need to find or report on disabled Active Directory user accounts. It’s best practice to do regular maintenance on AD objects and remove disabled or inactive objects (after verifying they are no longer needed of course). In this post, I will walk through two methods for finding disabled user accounts.

Method 1: Using AD Cleanup Tool

1. Open Tool

2. Click on filters

Change the Filter to “Show Users” and Show “Disable Users”

3. Click Run

You will now have a report of all disabled accounts in your domain.

You can also limit the report to an OU or group.

In addition to finding disabled users, this tool can quickly find disabled computers, expired users, users with no logon history, and empty groups.

Download Your Copy Here

Method 2: Powershell

This last example uses PowerShell to return the disabled accounts. I will show you to different PowerShell commands that display the results a bit different.

1. Open PowerShell and run the command below

Search-ADAccount -AccountDisabled

This command returns not only the username but many other attributes. In most cases, you will just want the username.

2. Run the command below to return only the username of disabled accounts.

Get-ADUser -Filter {Enabled -eq $false} | FT samAccountName

Most organizations have a policy to leave accounts disabled for a period of time, such as 30 days. If you don’t have a procedure in place to go back and delete the account, your Active Directory will become a mess. This post has provided three methods that can be used to quickly find disabled accounts in Active Directory.

You might also like:
Find Users accounts with passwords set to never expire
Find a user’s last logon time