How to Delete AD User Using PowerShell?

You can remove user objects from an Active Directory domain by using the Remove-ADUser PowerShell cmdlet. This cmdlet is a part of the ActiveDirectory Module for Windows PowerShell, which must be pre-installed and imported into the PoSh session with the command:

Import-Module activedirectory

The syntax of the Remove-ADUser cmdlet looks as follows:

Remove-ADUser [-Identity] <ADUser> [-WhatIf] [-Confirm] [-AuthType <ADAuthType> {Negotiate | Basic}] [-Credential <pscredential>] [-Partition <string>] [-Server <string>] [<CommonParameters>]

In the -Identity parameter you must specify the AD user account to remove. You can specify a username in several ways, by using: distinguished name (DN), GUID, security identifier (SID) or SAM account name.

To remove the user with the user logon name b.jackson, run the command:

Remove-ADUser b.jackson

A prompt appears that asks you to confirm the removal of the user object from the domain. To delete a user, press Y > Enter.

powershell disable ad user

To remove AD user without confirmation prompt, add -Confirm:$False at the end:

Remove-ADUser b.jackson -Confirm:$False

You can remove several domain users at once using a simple PowerShell script. Create a text file Users.txt with a list of users to remove.

b.jackson

brett.jackson

t.mauer

a.kit

s.cooper

To remove AD users from the list from a text file, use the following PowerShell script:

Import-Module Activedirectory

$users = Get-Content "c:\PS\Users.txt"




ForEach ($user in $users)

{

Start-Sleep -s "1"

Remove-ADUser -Identity $remove -Confirm:$false

Write-host $user "Deleted"

}

 

READ ALSO  How to Change Account Lockout Policy in AD?

powershell delete ad user

Before running the script, it is advisable to run it once in the –WhatIf mode.

If you want to log the results (which users were deleted) to a text file, add the following pipeline:

| Out-File c:\ps\removeusers_log.txt -Encoding ASCII -Append -PassThru

You can delete all blocked (disabled) user accounts in domain. To select disabled AD users, use the Search-ADAccount cmdlet (available in PowerShell 4.0 and newer):

Search-ADAccount -AccountDisabled | where {$_.ObjectClass -eq 'user'} | Remove-ADUser

Using PowerShell and the LastLogon attribute, you can find inactive user accounts that have not logged into the domain, for example, more than 6 months. To remove such user objects, run the script:

$lastdate= (Get-Date).AddDays(-180)

Get-ADUser -Properties LastLogonDate -Filter {LastLogonDate -lt $lastdate } | Remove-ADUser –WhatIF

You can run a simple PowerShell onliner to remove disabled and inactive users from a specific Organizational Unit in Active Directory:

get-aduser -filter "enabled -eq 'false'" -property WhenChanged -SearchBase "OU=Employees,OU=HQ,DC=theitbros,DC=com" | where {$_.WhenChanged -le (Get-Date).AddDays(-180)} | Remove-ADuser -whatif
Cyril Kardashevsky
Latest posts by Cyril Kardashevsky (see all)
READ ALSO  How to Restore Deleted Active Directory User?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.