Inactive users and computer domain accounts that have not been used for a long time need to be periodically disabled by an Active Directory administrator. Disabled accounts cannot be used to log on to the domain, even if the user knows the password for the account and it is has not expired.
Disable User Account Using Active Directory Users and Computers
You can disable a user or computer account in Active Directory through the Active Directory Users and Computers snap-in (ADUC). To do this, find the user account in the console, right-click on it and select Disable Account.
Or you can open the user’s properties and enable the “Account is disabled” option in the “Account options” section on the “Account” tab.
You can delegate the administrative permissions to enable/disable accounts in Active Directory for a specific security group of users, such as HelpdeskTeam.
Right-click in the ADUC console on the OU to which you want to delegate permissions. Select Delegate Control.
Specify the name of the group to which you want to delegate permissions (for example, US_HepldeskTeam). Then select Create a custom task to delegate > select User objects > select Property-specific permissions: Write userAccountControl.
Save your changes. Your non-admin user group will now be able to enable or disable a user account in a specific Organizational Unit.
How to Disable Active Directory Object with PowerShell?
You can also disable the Active Directory accounts using the Disable-ADAccount PowerShell cmdlet..
Install the PowerShell Active Directory module and import it into the PS session with the command:
Import-Module ActiveDirectory
To disable the jbrion user account, run the command:
Disable-ADAccount -Identity jbrion
You can add the -Confirm parameter to prompt for confirmation before disabling an account.
Check if the account is disabled now (Enabled = False):
Get-ADUser jbrion |select name,enabled
You can use the Disable-ADAccount cmdlet to disable both the computer and user or service account in the domain. The following attributes of the AD object can be specified as the -Identity argument:
- Distinguished Name;
- GUID (objectGUID);
- objectSid;
- sAMAccountName.
Hint. To enable an account, use the command:
Get-ADUser jbrion | Enable-ADAccount
If you want to disable a computer account instead of a user account, you must add a dollar sign to the end of the computer name. For example, the following PowerShell command disables the computer account named la-wks21:
Disable-ADAccount -Identity la-wks21$
To enable a computer account in AD:
Enable-ADAccount -Identity la-wks21$
Note. You can also disable or enable an Active Directory user on a domain controller from the command line:
net user j.brion /active:no
Check user status:
net user j.brion
Account active No
Enable the user account:
net user j.brion /active:yes
Or use the built-in dsmod.exe utility (you must specify the distinguished name of the user):
dsmod.exe user "CN=John Brion,OU=Users,OU=NewYork,OU=US,DC=contoso,DC=com" -disabled no
Disabling Multiple Active Directory Accounts
To disable all user accounts in a specific OU:
Get-ADUser -Filter 'Name -like "*"' -SearchBase "OU=Laptops,OU=NY,OU=USA,DC=theitbros,DC=com" | Disable-ADAccount
You can find all disabled computer accounts in the domain, use the command:
Search-ADAccount -AccountDisabled -ComputersOnly|select Name,LastLogonDate,Enabled
To display a list of disabled user accounts:
Find inactive users who haven’t logged on to the domain for more than 6 months and disable them:
$LastLogonDate= (Get-Date).AddDays(-180) Get-ADUser -Properties LastLogonTimeStamp -Filter {LastLogonTimeStamp -lt $LastLogonDate }| Disable-ADAccount
You can use PowerShell to disable multiple AD accounts at once. To do this, create a plain text file with a list of user accounts you want to disable. Then you can disable all user accounts from the txt file using the following PowerShell script:
$users=Get-Content c:\ps\users.txt ForEach ($user in $users) { Disable-ADAccount -Identity $($user.name) }
Similarly, you can disable computer accounts:
$computers= Get-Content c:\ps\computers.txt ForEach ($computer in $computers) { Disable-ADAccount -Identity "$($computer.name)$" }
Search-ADAccount allows you to find all inactive accounts in the domain and disable them all at once. For example, you may want to disable all users who have not logged into the domain for more than 3 months:
$timespan = New-Timespan -Days 90 Search-ADAccount -UsersOnly -AccountInactive -TimeSpan $timespan | Disable-ADAccount
You can use PowerShell to automate the disabling of user accounts in a domain. Create a simple CSV file ADUserList.csv with the following flat structure:
"Username","Date","Enabled" "b.jackson","12/24/2021","False" "jsmith","10/11/2022","False" "m.brion","03/12/2021","False"
In this file, set the usernames and dates when their accounts need to be disabled. Create the following PowerShell script auto_disable_users.ps1 with the code:
Import-module ActiveDirectory $users=Import-csv -Path "c:\ps\ADUserList.csv" foreach ($user in $users) { if ((get-date) -ge $user.DateDate) { if ($user.enabled -eq "False"){Set-ADUser -Identity $user.username -Enabled $false} } }
This script will automatically disable user accounts after the specified date. Create a Task Scheduler job to run this script daily on the domain controller.
You can also disable multiple accounts at once using the ADUC console. Expand the Active Directory OU where the account is located. Select multiple accounts by holding down the CTRL key, right-click and select Disable Account.
If you want to disable multiple accounts from the ADUC graphical console, but they are in different OUs, you can inflate your Active Directory structure using AD Saved Query.
Select the Saved Queries section in the ADUC console and create a new Query.
Create a query to select objects from AD. In this example, we are using a simple query to select all users who have “theitbros” in their Organization field.
Select Define Query > Find > Custom Search. Use the following LDAP query to find users with a specific value in the Company attribute.
(&(objectcategory=person)(objectclass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(company=theitbros))
Click the OK button to save the query. Then find and select your query in Saved Queries. Press the F5 key to refresh the search results. As a result, a list of accounts that match your requests will appear in the window.
Select user accounts (CTRL + A or use CTRL/Shift keys) and click Disable Account.
What is the Difference Between Disabled, Expired and Locked User Accounts?
In Active Directory, a user account can have different states, determined by the UserAccountControl attribute value (is a bitmask of Account Options values in AD user properties).
Some of the user states may be the reason why the user cannot log on to the domain:
- Account is locked;
- User is disabled;
- Account expired;
- User is restricted to a specific time or computer to log in.
Let’s try to find out what the differences are between disabled, expired, and locked users in AD.
If the user account is disabled, then the Account is disabled attribute must be enabled in its properties. In this case, an error occurs when a user tries to logon:
Your account has been disabled. Please see your system administrator.
The only way to enable or disable a user account is to do it manually or through scripts. This can be done by a domain administrator or by a user to whom the appropriate permissions have been delegated.
After multiple authentication attempts with a bad password, the user account is locked. The domain’s account lockout policy determines the number of attempts and lockout time.
User account unlocks itself over time, or administrator can remove the lock.
If your account is locked, you will receive the following error message when you try to log on to Windows:
The referenced account is currently locked out and may not be logged on to.
If the administrator has restricted the logon times or the list of computers to which the user can log on to in the user properties:
The system administrator has limited the computers you can log on with.
Or:
Account restrictions are preventing this user from signing in.
These logon restriction settings are configured by the administrator in the Logon Hours and Logon To attributes in the User properties in AD.
If an expiration date is specified for the account in the AD user properties, the user will not be able to log on to the domain after that date with an error:
The user account has expired
The administrator must manually extend the account expiration date or set the Account expires option to Never.
Account expiry is usually set for employers who need to access the domain during the contract period.
2 comments
Cyril,
Thanks for the help! I am using the commands that you provided to build scripts that can be run as scheduled tasks. That way, we can schedule accounts to be disabled during off hours. I got it to work when writing the user name directly into the script. I like your idea of using a text file to store the user accounts to be disabled, though. That way, we can just edit the text file rather than the PowerShell script each time. Is there a specific way that this text file needs to be formatted? I am thinking there must be some way that I am supposed to identify a username as the variable $user.
Use
Get-ADuser -Identity (put a username here)
to see the format of the Name Field (the $user.name variable above)