How To Find Disabled Users in Active Directory

Organizational Units (OUs) in Active Directory are used to organize users, groups, and other objects based on roles, departments, or similar criteria. Regularly monitoring disabled user accounts within a specific OU helps manage these accounts more effectively. This allows admins to re-enable accounts or remove them to keep the directory secure and organized, with an up-to-date record of account status.

List all disabled users in a specific OU using ADUC

• In the Active Directory Users and Computers console, go to the Filter option in the toolbar.
• Choose the Create custom filter option and click the Customize button.
• Switch to the Advanced tab and enter the following LDAP query, then click OK.

(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))

After completing the above steps , navigate to your OU to view all disabled users within it. However, this approach is limited to displaying disabled users only in the specified OU and does not include users in nested OUs. To view disabled users in nested OUs, PowerShell provides a more comprehensive solution.

Find all disabled users in an OU using PowerShell

Execute the following PowerShell cmdlet to get all disabled users in an OU and from its nested OUs.

Get-ADUser -Filter { Enabled -eq $false } -SearchBase "<OU'sDistinguishedName>" -Properties * |
Select-Object Name, SAMAccountName, UserPrincipalName, DistinguishedName, AccountExpirationDate, LastLogonDate |
Export-Csv -Path "<FilePath>" -NoTypeInformation

Here, replace <OU’sDistinguishedName> with the distinguished name of the OU and <FilePath> with the desired location for your CSV file. To find the distinguished names of all OUs in your organization, use the following command.

Get-ADOrganizationalUnit -Filter * | Select Name, DistinguishedName

Disabling user accounts in Active Directory prevents them from accessing network resources. This is often done when there are security breaches, suspicious logins, or as a first step when a user leaves the organization. It prevents the user from accessing resources within the network, while preserving their data and settings.

Disable an Active Directory user account

To disable a user account in Active Directory, follow these steps:

• Open Active Directory Users and Computers (ADUC) console.
• Locate the user account you want to disable.
• Right-click the user account and select Disable Account. Then, click OK for confirmation.

If you want to re-enable a user's account in Active Directory, repeat the same procedure, but select the Enable Account option.

Tip: To quickly check if an AD user is disabled in ADUC, look for a small black arrow pointing downward on top of the regular user icon.

• In addition to the robust reports on locked-out, inactive, expired users, etc., AdminDroid's management capabilities help you disable users directly from the report.
• To disable user(s), simply select them and click the Disable User management button available at the bottom of the report. Then confirm the action to disable.

Manually disabling multiple user accounts via the ADUC console can be time-consuming. To overcome this limitation, you can follow the steps below to disable bulk users in Active Directory using PowerShell.

• First, create a CSV file containing the SAM account name of the users you want to disable. The CSV file should be formatted as shown here.
• Then, run the following PowerShell command to disable all the users listed in the file.

Import-Csv "<CSVFilePath>" | ForEach-Object { Disable-ADAccount -Identity $_.SAMAccountName }

Similarly, if you need to re-enable multiple user accounts, follow the same approach but replace the ‘Disable-ADAccount’ cmdlet with ‘Enable-ADAccount.’

Import-Csv "<CSVFilePath>" | ForEach-Object { Enable-ADAccount -Identity $_.SAMAccountName }

Disable AD users in a specific organizational unit (OU)

You can use the cmdlet below to disable all users in a specific organizational unit in Active Directory.

Get-ADUser -Filter * -SearchBase "<OU’sDistinguishedName>" | Disable-ADAccount 

Automatically disable inactive AD user accounts

To disable inactive AD accounts after X days of inactivity, you can run the following PowerShell script replacing the <InactiveDays> with the days of inactivity.

$DaysSinceLastLogon = ((Get-Date).AddDays(-<InactiveDays>)).Date
Get-ADUser -Filter * -Properties LastLogonDate | Where-Object {$_.LastLogon -lt $DaysSinceLastLogon -and 
$_.Enabled -eq $true} | ForEach-Object {
    Disable-ADAccount -Identity $_.SamAccountName
    Write-Host "Disabled account: $($_.SamAccountName)"
}

Helpful Hint: To automatically disable inactive users in Active Directory at specific intervals, design a PowerShell script and schedule the execution using Task Scheduler.

To determine who disabled an Active Directory account or when it was disabled, ensure that the subcategory ‘Audit User Account Management’ is enabled in the Account Management audit. Without enabling this, the account disable action won’t be logged or available for review.

If auditing is enabled at the time of the action, it will be logged in the domain controller (DC). The event ID for the account disable action is 4725, and it is logged whenever an administr ator disables an AD user account.

Check who disabled an AD account and when it was disabled

• Open Event Viewer on a domain controller where the event is performed and go to Windows Logs»Security.
• Right click on the Security option and choose Filter Current Log.
• Search for event ID ‘4725’ to review all user account disability events.

While the above approach lists all events related to disabled user accounts, it can be difficult to navigate through each event to identify who performed the action and when. To address this, you can identify who disabled the account and get the AD user disabled date using PowerShell.

• Run the cmdlet below, replacing <SAMAccountName> with the specific username you are searching for.

  Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4725} |
  Where-Object { $_.Message -match 'Target Account:\s+Security ID:\s+[^\r\n]+\s+Account Name:\s+<SAMAccountName>' } |
  Select-Object TimeCreated, Message | fl

You can also add start and end date parameters to this PowerShell script to find user accounts disabled in last x days.

Note: Both methods must be performed on the domain controller where the disable action occurred. If your Active Directory has multiple domain controllers, auditing becomes more complex as you need to search for events on each one.

• With AdminDroid, you can easily bypass the complexities of tracking across different DCs as it collects audit data from all your domain controllers in one place.
• The disabled user events report lists audit events for disabled user accounts in your Active Directory, including details such as the time, action performer, event location, and more.

When you try to get a list of disabled users in your Active Directory, you may find certain accounts that are disabled by default. Refer to the section below to learn about such common accounts and understand the reasons for their default disabled status.

Active Directory user accounts can be in different states based on factors like administrative actions, account expiration, inactivity or locked. Understanding the differences such account statues is important for managing accounts, security, and user lifecycles. This table helps clarify these states through a simple comparison.