Powershell : Find disabled users and computers in AD

This post explains how to use Powershell to find disabled uer and computers in Active Directory.

Launch Windows Powershell console from Accessories and right-click and Run as Administrator:

Once launched, use the commands below to collect information

Export Disabled Computer Accounts Information using Powershell cmdlets

Type in the command below to get AD Computers that have the “Enabled” property set to $False, which indicates that the computer is disabled. Then, export the results to a CSV file called disabledcomputers.csv under C:\Temp folder. You can change the location as you wish.

PowerShell
Get-ADComputer -Filter {(Enabled -eq $False)} -ResultPageSize 2000 -ResultSetSize $null -Server <AnyDomainController> -Properties Name, OperatingSystem | Export-CSV C:\Temp\disabledcomputers.CSV -NoTypeInformation

 Export Disabled User Accounts Information using Powershell cmdlets

Now, we’ll use similar commands to check and export list of all disabled user accounts in AD

Note that Search-ADAccount supports the “-AccountDisabled” parameter. By using the “-AccountDisabled” parameter, you are instructing Search-ADAccount to look only for disabled user or computer accounts. Export-CSV command will export CSV list of all disabled users

PowerShell
Search-ADAccount –AccountDisabled –UsersOnly –ResultPageSize 2000 –ResultSetSize $null | Select-Object SamAccountName, DistinguishedName | Export-CSV C:\Temp\DisabledUsers.CSV -NoTypeInformation

 Export Inactive/Expired Users list using Powershell Cmdlets

Again, a very similar cmdlet to export Inactive users whose accounts are expired as they haven’t changed the password for more than 90 days

PowerShell
Search-ADAccount –AccountInActive –TimeSpan 90:00:00:00 –ResultPageSize 2000 –ResultSetSize $null | ?{$_.Enabled –eq $True} | Select-Object Name, SamAccountName, DistinguishedName | Export-CSV C:\Temp\inactiveusers.CSV –NoTypeInformation

The above command uses the –TimeSpan parameter to find user accounts that have been inactive for the last 90 days. The output is exported to the C:\Temp\inactiveusers.csv file.