An Active Directory administrator must periodically disable user and computer domain accounts that are not used for a long time. Disabled accounts cannot be used to log on the domain, even if the user knows the password for the account and it is not expired.
You can disable a user or computer account in Active Directory through the Active Directory Users & Computers graphical snap-in (ADUC). To do this, find the user account in the console, right-click on it and select Disable Account.
Or you can open the user’s properties and enable the “Account is disabled” option in the “Account options” section on the “Account” tab.
You can also disable the Active Directory account using the PowerShell cmdlet Disable-ADAccount.
Install the Active Directory for Windows PowerShell and import it into the PS session with the command:
Import-Module ActiveDirectory
In order to disable the jbrion user account, run the command:
Disable-ADAccount -Identity jbrion
In order to prompt the account disabling confirmation, you can add the –Confirm parameter.
Check that the account is disabled now (Enabled = False):
Get-ADUser jbrion |select name,enabled
You can use the Disable-ADAccount cmdlet to disable both the computer and user or service account in the domain. The following parameters of the AD object can be specified as an -Identity argument:
- Distinguished Name;
- GUID (objectGUID);
- objectSid;
- sAMAccountName.
Hint. To enable an account, use the command:
Get-ADUser jbrion | Enable-ADAccount
To disable all computer accounts in a specific OU:
Get-ADUser -Filter 'Name -like "*"' -SearchBase "OU=Laptops,OU=NY,OU=USA,DC=theitbros,DC=com" | Disable-ADAccount
To find all disabled computer accounts in the domain, use the command:
Search-ADAccount -AccountDisabled -ComputersOnly|select Name,LastLogonDate,Enabled
To display list user accounts:
Hint. You can read more about special service AD account krbtgt.
With PowerShell, you can disable multiple AD accounts. To do this, create a text file with a list of user accounts you want to disable. Then you can disable all user accounts from the txt file using the following PowerShell script:
$users=Get-Content c:\ps\users.txt
ForEach ($user in $users)
{
Disable-ADAccount -Identity $($user.name)
}
Similarly, you can disable computer accounts:
$computers= Get-Content c:\ps\computers.txt
ForEach ($computer in $computers)
{
Disable-ADAccount -Identity "$($computer.name)$"
}Using the Search-ADAccount cmdlet, you can find all inactive accounts in the domain and disable them at once. For example, you want to disable all users who have not logged into the domain for more than 3 months:
$timespan = New-Timespan -Days 90 Search-ADAccount -UsersOnly -AccountInactive -TimeSpan $timespan | Disable-ADAccount
- How to Install and Configure Read-Only Domain Controller (RODC)? - July 23, 2021
- How to Reserve IP Address on Windows Server DHCP? - July 23, 2021
- How to Disable Fast Startup in Windows 10? - July 23, 2021
Cyril,
Thanks for the help! I am using the commands that you provided to build scripts that can be run as scheduled tasks. That way, we can schedule accounts to be disabled during off hours. I got it to work when writing the user name directly into the script. I like your idea of using a text file to store the user accounts to be disabled, though. That way, we can just edit the text file rather than the PowerShell script each time. Is there a specific way that this text file needs to be formatted? I am thinking there must be some way that I am supposed to identify a username as the variable $user.
Use
Get-ADuser -Identity (put a username here)
to see the format of the Name Field (the $user.name variable above)