An Active Directory administrator must periodically disable user and computer domain accounts that are not used for a long time. Disabled accounts cannot be used to log on the domain, even if the user knows the password for the account and it is not expired.
You can disable a user or computer account in Active Directory through the Active Directory Users & Computers graphical snap-in (ADUC). To do this, find the user account in the console, right-click on it and select Disable Account.
Or you can open the user’s properties and enable the “Account is disabled” option in the “Account options” section on the “Account” tab.
You can also disable Active Directory account using the PowerShell cmdlet Disable-ADAccount.
Install the Active Directory for Windows PowerShell and import it into the PS session with the command:
Import-Module ActiveDirectory
In order to disable the jbrion user account, run the command:
Disable-ADAccount -Identity jbrion
In order to prompt the account disabling confirmation, you can add the –Confirm parameter.
Check that the account is disabled now (Enabled = False):
Get-ADUser jbrion |select name,enabled
You can use the Disable-ADAccount cmdlet to disable both the computer and user or service account in domain. The following parameters of the AD object can be specified as an -Identity argument:
- Distinguished Name
- GUID (objectGUID)
- objectSid
- sAMAccountName
Hint. To enable an account, use the command: Get-ADUser jbrion | Enable-ADAccount
To disable all computer accounts in a specific OU:
Get-ADUser -Filter 'Name -like "*"' -SearchBase "OU=Laptops,OU=NY,OU=USA,DC=theitbros,DC=com" | Disable-ADAccount
To find all disabled computer accounts in the domain, use the command:
Search-ADAccount -AccountDisabled -ComputersOnly|select Name,LastLogonDate,Enabled
To display list user accounts:
Hint. You can read more about special service AD account krbtgt.
With PowerShell, you can disable multiple AD accounts. To do this, create a text file with a list of user accounts that you want to disable. Then you can disable all user accounts from the txt file using the following PowerShell script:
$users=Get-Content c:\ps\users.txt
ForEach ($user in $users)
{
Disable-ADAccount -Identity $($user.name)
}
Similarly, you can disable computer accounts:
$computers= Get-Content c:\ps\computers.txt
ForEach ($computer in $computers)
{
Disable-ADAccount -Identity "$($computer.name)$"
}
Using the Search-ADAccount cmdlet, you can find all inactive accounts in domain and disable them at once. For example, you want to disable all users who have not logged into the domain for more than 3 months.
$timespan = New-Timespan -Days 90 Search-ADAccount -UsersOnly -AccountInactive -TimeSpan $timespan | Disable-ADAccount
