How to Disable Active Directory Account Using PowerShell?

An Active Directory administrator must periodically disable user and computer domain accounts that are not used for a long time. Disabled accounts cannot be used to log on the domain, even if the user knows the password for the account and it is not expired.

You can disable a user or computer account in Active Directory through the Active Directory Users & Computers graphical snap-in (ADUC). To do this, find the user account in the console, right-click on it and select Disable Account.

active directory disable account

Or you can open the user’s properties and enable the “Account is disabled” option in the “Account options” section on the “Account” tab.

powershell disable ad user

You can also disable the Active Directory account using the PowerShell cmdlet Disable-ADAccount.

Install the Active Directory for Windows PowerShell and import it into the PS session with the command:

Import-Module ActiveDirectory

In order to disable the jbrion user account, run the command:

Disable-ADAccount -Identity jbrion

disable ad account powershell

In order to prompt the account disabling confirmation, you can add the –Confirm parameter.

Check that the account is disabled now (Enabled = False):

Get-ADUser jbrion |select name,enabled

powershell disable computer account

You can use the Disable-ADAccount cmdlet to disable both the computer and user or service account in the domain. The following parameters of the AD object can be specified as an -Identity argument:

Hint. To enable an account, use the command:

Get-ADUser jbrion | Enable-ADAccount

To disable all computer accounts in a specific OU:

Get-ADUser -Filter 'Name -like "*"' -SearchBase "OU=Laptops,OU=NY,OU=USA,DC=theitbros,DC=com" | Disable-ADAccount

To find all disabled computer accounts in the domain, use the command:

Search-ADAccount -AccountDisabled -ComputersOnly|select Name,LastLogonDate,Enabled

To display list user accounts:

active directory disable user

Hint. You can read more about special service AD account krbtgt.

With PowerShell, you can disable multiple AD accounts. To do this, create a text file with a list of user accounts you want to disable. Then you can disable all user accounts from the txt file using the following PowerShell script:

$users=Get-Content c:\ps\users.txt

ForEach ($user in $users)

{

Disable-ADAccount -Identity $($user.name)

}

Similarly, you can disable computer accounts:

$computers= Get-Content c:\ps\computers.txt

ForEach ($computer in $computers)

{

Disable-ADAccount -Identity "$($computer.name)$"

}

Using the Search-ADAccount cmdlet, you can find all inactive accounts in the domain and disable them at once. For example, you want to disable all users who have not logged into the domain for more than 3 months:

$timespan = New-Timespan -Days 90

Search-ADAccount -UsersOnly -AccountInactive -TimeSpan $timespan | Disable-ADAccount
I enjoy technology and developing websites. Since 2012 I'm running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.
Cyril Kardashevsky

2 comments

  1. Cyril,

    Thanks for the help! I am using the commands that you provided to build scripts that can be run as scheduled tasks. That way, we can schedule accounts to be disabled during off hours. I got it to work when writing the user name directly into the script. I like your idea of using a text file to store the user accounts to be disabled, though. That way, we can just edit the text file rather than the PowerShell script each time. Is there a specific way that this text file needs to be formatted? I am thinking there must be some way that I am supposed to identify a username as the variable $user.

    1. Use

      Get-ADuser -Identity (put a username here)

      to see the format of the Name Field (the $user.name variable above)

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.