An Active Directory administrator must periodically disable user and computer domain accounts that are not used for a long time. Disabled accounts cannot be used to log on to the domain, even if the user knows the password for the account and it is not expired.
Disable User Account Using Active Directory Users and Computers
You can disable a user or computer account in Active Directory through the Active Directory Users & Computers graphical snap-in (ADUC). To do this, find the user account in the console, right-click on it and select Disable Account.
Or you can open the user’s properties and enable the “Account is disabled” option in the “Account options” section on the “Account” tab.
You can delegate the admin permissions to enable/disable accounts in Active Directory for a specific group of users, such as HelpdeskTeam.
Right-click in the ADUC console on the OU to which you want to delegate permissions. Select Delegate Control.
Specify the name of the group to which you want to delegate permissions (for example, US_HepldeskTeam). Then select Create a custom task to delegate > select User objects > select Property-specific permissions: Write userAccountControl.
Save your changes. Your non-admin user group will now be able to enable or disable a user account in a specific Organizational Unit.
How to Disable Active Directory Object with PowerShell?
You can also disable the Active Directory account using the PowerShell cmdlet Disable-ADAccount.
Install the Active Directory for Windows PowerShell and import it into the PS session with the command:
Import-Module ActiveDirectory
In order to disable the jbrion user account, run the command:
Disable-ADAccount -Identity jbrion
In order to prompt the account disabling confirmation, you can add the –Confirm parameter.
Check if the account is disabled now (Enabled = False):
Get-ADUser jbrion |select name,enabled
You can use the Disable-ADAccount cmdlet to disable both the computer and user or service account in the domain. The following parameters of the AD object can be specified as an -Identity argument:
- Distinguished Name;
- GUID (objectGUID);
- objectSid;
- sAMAccountName.
Hint. To enable an account, use the command:
Get-ADUser jbrion | Enable-ADAccount
If you want to disable a computer account instead of a user account, you must add a dollar sign to the end of the computer name. For example, the following PowerShell command disables the computer account named la-wks21:
Disable-ADAccount -Identity la-wks21$
To enable a computer account in AD:
Enable-ADAccount -Identity la-wks21$
Disabling Multiple Active Directory Accounts
To disable all user accounts in a specific OU:
Get-ADUser -Filter ‘Name -like “*”‘ -SearchBase “OU=Laptops,OU=NY,OU=USA,DC=theitbros,DC=com” | Disable-ADAccount
To find all disabled computer accounts in the domain, use the command:
Search-ADAccount -AccountDisabled -ComputersOnly|select Name,LastLogonDate,Enabled
To display a list of user accounts:
Hint. You can read more about special service AD account krbtgt.
With PowerShell, you can disable multiple AD accounts. To do this, create a text file with a list of user accounts you want to disable. Then you can disable all user accounts from the txt file using the following PowerShell script:
$users=Get-Content c:\ps\users.txt
ForEach ($user in $users)
{
Disable-ADAccount -Identity $($user.name)
}
Similarly, you can disable computer accounts:
$computers= Get-Content c:\ps\computers.txt
ForEach ($computer in $computers)
{
Disable-ADAccount -Identity “$($computer.name)$”
}
Using the Search-ADAccount cmdlet, you can find all inactive accounts in the domain and disable them at once. For example, you want to disable all users who have not logged into the domain for more than 3 months:
$timespan = New-Timespan -Days 90
Search-ADAccount -UsersOnly -AccountInactive -TimeSpan $timespan | Disable-ADAccount
You can use PowerShell to automate the disabling of user accounts in a domain. Create a simple CSV file ADUserList.csv with the following flat structure:
“Username”,”Date”,”Enabled”
“b.jackson”,”12/24/2021″,”False”
“jsmith”,”10/11/2022″,”False”
“m.brion”,”03/12/2021″,”False”
In this file, set the usernames and dates when their accounts need to be disabled. Create the following PowerShell script auto_disable_users.ps1 with the code:
Import-module ActiveDirectory
$users=Import-csv -Path “c:\ps\ADUserList.csv”
foreach ($user in $users) {
if ((get-date) -ge $user.DateDate) {
if ($user.enabled -eq “False”){Set-ADUser -Identity $user.username -Enabled $false}
}
}
This script will automatically disable user accounts after the specified date. Create a Task Scheduler job to run this script daily on the domain controller.
You can also disable multiple accounts at once using the ADUC console. Expand the Organizational Unit where the account is located. Select multiple accounts by holding down the CTRL key, right-click and select Disable Account.
If you want to disable multiple accounts from the ADUC graphical console, but they are in different OUs, you can inflate your Active Directory structure using AD Saved Query.
Select the Saved Queries section in the ADUC console and create a new Query.
Create a query to select objects from AD. In this example, we are using a simple query to select all users that have “theitbros” in their Organization field.
Select Define Query > Find > Custom Search. Use the following LDAP query to find users with a specific value in the Company attribute.
(&(objectcategory=person)(objectclass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(company=theitbros))
Click the Ok button to save the query. Then find and select your query in Saved Queries. Press the F5 key to refresh the query results. As a result, a list of accounts that match your requests will appear in the window.
Select user accounts and click Disable Account.
- How to Search and Delete Malicious Emails in Office 365? - January 29, 2023
- How to Install Google Chrome for Fedora? - January 29, 2023
- Lens Kubernetes IDE — Opensource Lens Desktop - January 27, 2023
Cyril,
Thanks for the help! I am using the commands that you provided to build scripts that can be run as scheduled tasks. That way, we can schedule accounts to be disabled during off hours. I got it to work when writing the user name directly into the script. I like your idea of using a text file to store the user accounts to be disabled, though. That way, we can just edit the text file rather than the PowerShell script each time. Is there a specific way that this text file needs to be formatted? I am thinking there must be some way that I am supposed to identify a username as the variable $user.
Use
Get-ADuser -Identity (put a username here)
to see the format of the Name Field (the $user.name variable above)