The Disable-ADAccount PowerShell cmdlet is used to disable user, computer, and service accounts in an Active Directory domain. Disabled accounts cannot be used to log on to the domain, even if the user knows the password for the account and it is has not expired.
Table of Contents
Disabling Active Directory Users with PowerShell
To disable a user account in a domain, use the Disable-ADAccount cmdlet from the PowerShell Active Directory module. Just specify the SamAccountName, DistinguishedName, SID, or ObjectGUID of the user that you want to disable as an attribute of the cmdlet:
Disable-ADAccount jbrion
Check if the account is disabled now (Enabled = False):
Get-ADUser jbrion |select name,enabled
Hint. You can add the -Confirm parameter to prompt for confirmation before disabling an account.
If an AD-disabled user tries to log on to any computer in the domain, he will get an error:
Your account has been disabled. Please see your system administrator.
In order to enable user account in Active Directory use the command:
Enable-ADAccount jbrion
How to Disable Computer Accounts in AD with PowerShell
Disable-ADAccount cmdlet can also be used to disable computer (machines) accounts in AD. If you are specifying a domain computer name, you must add a dollar sign ($) to the end of the host name. For example:
Disable-ADAccount -Identity la-wks21$
To enable a machine account in AD:
Enable-ADAccount -Identity la-wks21$
Disabling Multiple Active Directory Accounts with PowerShell
You can use PowerShell to disable/enable multiple AD objects in bulk. Let’s look at some real-world scenarios commonly used for bulk account disabling in AD:
Disable all user accounts in a specific Organizational Unit (OU)
Get-ADUser -Filter * -SearchBase "OU=Laptops,OU=NY,OU=USA,DC=theitbros,DC=com" | Disable-ADAccount
Disable all users from a specific department
Get-ADUser -Filter {Department -eq "Sales"}| Disable-ADAccount
Disable users who are members of a specific security group
Get-ADGroupMember -Identity "ExternalITStuff" | Where-Object { $_.objectClass -eq "user" }|Disable-ADAccount
Find and disable inactive users who haven’t logged on to the domain for more than 6 months
$timespan = New-Timespan -Days 180 Search-ADAccount -UsersOnly -AccountInactive -TimeSpan $timespan | Disable-ADAccount
Disable inactive computer accounts
Search-ADAccount -ComputersOnly -AccountInactive -TimeSpan $timespan | Disable-ADAccount
Disable users according to a list from a CSV file
Create a simple CSV file ADUserList.csv with the following flat structure:
"Username","Date","Enabled" "b.jackson","12/24/2021","False" "jsmith","10/11/2022","False" "m.brion","03/12/2021","False"
In this file, set the usernames and dates when their accounts need to be disabled. Create the following PowerShell script auto_disable_users.ps1 with the code:
Import-module ActiveDirectory
$users=Import-csv -Path "c:\ps\ADUserList.csv"
foreach ($user in $users) {
if ((get-date) -ge $user.DateDate) {
if ($user.enabled -eq "False"){Set-ADUser -Identity $user.username -Enabled $false}
}
}
List all disabled machine accounts in the domain
Search-ADAccount -AccountDisabled -ComputersOnly|select Name,LastLogonDate,Enabled
List disabled AD user accounts
Search-ADAccount -AccountDisabled -UsersOnly
You can also disable multiple accounts at once using the ADUC console. Expand the Active Directory OU where the account is located. Select multiple accounts by holding down the CTRL key, right-click and select Disable Account.
If you want to disable multiple accounts from the ADUC graphical console, but they are in different OUs, you can inflate your Active Directory structure using AD Saved Query.
Select the Saved Queries section in the ADUC console and create a new Query.
Select Define Query > Find > Custom Search. Use the following LDAP query to find users with a specific value in the Company attribute.
(&(objectcategory=person)(objectclass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(company=theitbros))
Click the OK button to save the query. Then find and select your query in Saved Queries. Press the F5 key to refresh the search results. As a result, a list of accounts that match your requests will appear in the window.
Select user accounts (CTRL + A or use CTRL/Shift keys) and click Disable Account.
Disable AD Accounts from the Active Directory GUI
If you don’t feel comfortable using the PowerShell console, you can use the ADUC graphical console to disable/enable object accounts.
Open the Active Directory Users and Computers snap-in (dsa.msc), find the user account in the console, right-click on it ,and select Disable Account.
Or you can open the user’s properties and enable the “Account is disabled” option in the “Account options” section on the “Account” tab.
Delegate the Disable/Enable Accounts Permissions in AD
You can delegate the administrative permissions to enable/disable accounts in Active Directory for a specific security group of users, such as HelpdeskTeam.
Right-click in the ADUC console on the OU to which you want to delegate permissions. Select Delegate Control.
Specify the name of the group to which you want to delegate permissions (for example, US_HepldeskTeam). Then select Create a custom task to delegate > select User objects > select Property-specific permissions: Write userAccountControl.
Save your changes. Your non-admin user group will now be able to enable or disable a user account in a specific Organizational Unit.
1 comment
Use
Get-ADuser -Identity (put a username here)
to see the format of the Name Field (the $user.name variable above)