🎉 Our Microsoft 365 Reporting & Management Tool is now available in Azure Marketplace 🚀
This website uses cookies to improve your experience. We'll assume you're ok with this. Know more.
Active Directory

How to Get all Enabled Users in Active Directory

Keeping track of enabled user accounts in Active Directory is crucial for security and efficient management. Overtime, unused but enabled accounts can pose a risk by providing unauthorized access points, which increases the chances of credential misuse or exploitation. This guide explains how to identify and manage all enabled user accounts in AD to streamline administration and strengthen security.

Solution 1
Solution 2
Solution 3
Solution 4
Important Tips
Errors and Resolution Steps
FAQs

Find All Enabled Users in Active Directory Using ADUC

Active Directory Permission Required
Account Operators Least Privilege
Administrators Most Privilege
  • Open the Active Directory Users and Computers (ADUC) console.
  • Right-click the domain or Organizational Unit (OU) from which you want to find the enabled users and select Find.
  • From the Find drop-down, choose Custom Search.
  • Switch to the Advanced tab and enter the following LDAP query. 
    (&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))
  • Click Find Now to display all enabled users in your on-premises Active Directory.
Find All Enabled Users in Active Directory Using ADUC

Get All Enabled Users in Active Directory Using ADAC

Active Directory Permission Required
Account Operators Least Privilege
Administrators Most Privilege
  • Open the Active Directory Administrative Center (ADAC) and go to the Global Search tab.
  • Choose the Convert to LDAP radio button and enter the following LDAP query to find all enabled user accounts in Active Directory.
  • Windows PowerShell Windows PowerShell 
     (&(objectCategory=person)(objectClass=user) (!userAccountControl:1.2.840.113556.1.4.803:=2))
  • Finally, hit the Apply button.
Get All Enabled Users in Active Directory Using ADAC

Export Enabled Users in Active Directory Using PowerShell

Active Directory Permission Required
Domain User Least Privilege
Administrators Most Privilege
  • While the above two approaches help list all enabled users in your AD domain, they don’t provide a way to get detailed user metrics or export them.
  • To overcome these limitations, you can use the ‘Get-ADUser’ cmdlet to get enabled AD user accounts using PowerShell.
  • First, use the following cmdlet to import the Active Directory PowerShell module.
  • Windows PowerShell Windows PowerShell 
     Import-Module ActiveDirectory
  • Then, execute the cmdlet below to export enabled users from Active Directory.
  • Windows PowerShell Windows PowerShell 
      Get-ADUser -Filter {Enabled -eq $true} -Properties * | Select-Object Name, SAMAccountName, UserPrincipalName, DistinguishedName, AccountExpirationDate, LastLogonDate | Export-Csv  –Path "<FilePath>" -NoTypeInformation
Export Enabled Users in Active Directory Using PowerShell

Note: Ensure that you replace <FilePath> with the desired path for your CSV file.

  • The exported CSV file provides a comprehensive view of each enabled user in your Active Directory, including key details such as name, SAM account name, User Principal Name, account expiration date, and last logon time.
AdminDroid Active Directory Reporting

Track and Manage Enabled User Accounts in AD Like a Pro!

AdminDroid’s Active Directory reporting tool streamlines the process of managing enabled users in your organization. It provides comprehensive reports to list all enabled users with detailed insights into account status, logon restrictions, membership details, password policies, and more.

Manage Inactive Enabled Users in Active Directory

Leverage AdminDroid’s inactive enabled users report to streamline the process of disabling or removing inactive users in your on-premises AD environment for enhanced security.

Review Enabled Users with Admin Privileges

Analyze privileged admin accounts with enabled status to ensure only authorized individuals can perform administrative actions, minimize potential security risks, and maintain compliance.

Track Password Expired Users in AD with Ease!

Keep track of password-expired users in Active Directory to prevent login issues, and ensure uninterrupted access in your organization.

Check Recently Deleted User Accounts in AD

Identify the recently deleted users with account status enabled to ensure no active accounts were mistakenly removed and restore necessary accounts promptly.

Monitor User Accounts with Expiration Date

Track users with account expiry in Active Directory to ensure seamless offboarding, manage contractors or temporary workers, and optimize user lifecycle management.

Detect Suspicious Logon Attempts of AD Users

Audit failed logon events in your on-premises Active Directory to identify unusual logon patterns, such as attempts from restricted hours, unknown devices, or expired and disabled user accounts.

In conclusion, AdminDroid's Active Directory management tool enhances the process of tracking and managing enabled users in Active Directory. With advanced features like intuitive filters, customizable reports, and easy export options, it empowers admins to maintain precise user management with minimal effort.

Explore a full range of reporting options
Download Live Demo

Important Tips

Prevent unauthorized access by disabling inactive user accounts based on the last logon time of users in your on-premises Active Directory.

Implement Role-Based Access Control (RBAC) for users in AD to assign least privileged roles and minimize unnecessary access.

Apply security settings, software deployment, and user restrictions via GPOs to ensure consistent policies across enabled users in the domain.

Common Errors and Resolution Steps

The following are the possible errors and troubleshooting hints while retrieving and managing enabled users in Active Directory.

Error The search filter cannot be recognized.

This issue occurs when an invalid LDAP query filter is entered while searching for enabled users in the global search of the Active Directory Administrative Center (ADAC).

Fix Make sure the query filter is formatted correctly without any spaces. 
(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))

Error Search-ADAccount : Parameter set cannot be resolved using the specified named parameters.

This error occurs when conflicting or missing parameters are used with the “Search-ADAccount” cmdlet in Active Directory PowerShell.

Fix Ensure you include the correct parameter, such as -AccountInactive, to successfully identify inactive users. 
Search-ADAccount -AccountInactive -UsersOnly

Error Disable-ADAccount : Insufficient access rights to perform the operation.

This error occurs when you try to execute the ‘Disable-ADAccount’ cmdlet without the necessary permissions.

Fix Ensure you're connected with at least Account Operator privileges to disable or enable an account.

Error As a security precaution, the user account has been locked because there were too many logon attempts or password change attempts. Wait a while before trying again, or contact your system administrator or technical support.

This error occurs when the user's account is locked out in Active Directory due to repeated invalid logon or password change attempts.

Fix To resolve this, unlock the user account in the Active Directory Users and Computers (ADUC) console by navigating to the Account tab in the user profile and enable the Unlock account checkbox.
Active Directory
Frequently Asked Questions

Track Enabled User Accounts in Active Directory for Enhanced User Management

How to enable user account management audits in Active Directory?
How to detect who disabled or enabled a user account in Active Directory?
How to enable a disabled user account in Active Directory?
How to list enabled users who are currently locked out in Active Directory?

1. How to enable user account management audits in Active Directory?

To detect when a user account is enabled or disabled in Active Directory, the Audit User Account Management subcategory within the Account Management audit policy must be enabled. Without enabling this setting , actions like enabling or disabling accounts will not be logged.

Steps to enable Audit User Account Management policy

  • Open the Group Policy Management console and navigate to the domain where the objects to be audited are located.
  • Right-click on the desired Group Policy Object (GPO) that applies to this domain and select Edit or create a new GPO if necessary and choose Edit.
  • In the Group Policy Management Editor, go to: Computer Configuration»Policies»Windows Settings»Security Settings»Advanced Audit Policy Configuration»Audit Policies»Account Management.
  • In the right pane, find and select Audit User Account Management.
  • Enable the Audit User Account Management policy for both Success and Failure events. This will track various account-related activities, including the creation, enabling, disabling, deletion, and modification of user accounts.
enable-audit-user-mgmt-policy-in-ad-1
enable-audit-user-mgmt-policy-in-ad-2
Note:
  • To enable user account management auditing for a specific set of users, group them under a specific OU and create a GPO.
  • Auditing will start from the time this setting is enabled, and prior actions will not be recorded.

2. How to detect who disabled or enabled a user account in Active Directory?

When the Audit User Account Management policy is enabled, user administration activities are logged in the Security logs. For user account actions, Event ID 4722 is logged when a user account is enabled, and Event ID 4725 is logged when an account is disabled. These logs contain key details about the events, such as who performed the action, when it occurred, and from which machine to help admins track account changes effectively.

Track user account enable/disable events using Event Viewer

  • Open Event Viewer on a domain controller and navigate to Windows Logs»Security.
  • In the right pane, click Filter Current Log.
  • Search for Event IDs 4722 (account enabled) or 4725 (account disabled) to review related user account events.
track-ad-user-enable-disable-events

Check who enabled/disabled a user account using PowerShell

You can use the below PowerShell cmdlets to filter event logs based on user accounts. Replace the <SAMAccountName> with the specific username for which you’re auditing, in the following events:

Event ID 4722: User account enabled

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4722} | Where-Object { $_.Message -match "Target Account:\s+Security ID:\s+[^\r\n]+\s+Account Name:\s+<SAMAccountName>" } | Select-Object TimeCreated, Message | fl

Event ID 4725: User account disabled

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4725} | Where-Object { $_.Message -match "Target Account:\s+Security ID:\s+[^\r\n]+\s+Account Name:\s+<SAMAccountName>" } | Select-Object TimeCreated, Message | fl
track-ad-user-enable-disable-events-powershell

To narrow results further, you can filter the logs by the ‘TimeCreated’ attribute based on your requirements to focus on events within a specific timeframe.

Note: Both methods must be performed on the domain controller where the enable or disable action occurred. If your Active Directory has multiple domain controllers, auditing becomes more complex as you need to search for events on each one.

Simplify tracking of disabled or enabled AD accounts without the inconvenience of switching between multiple domain controllers!

  • With AdminDroid, you can eliminate this complexity by collecting and filtering audit data from all domain controllers and other computers in a single place.
  • The enabled user events and disabled user events reports track audit events for enabled and disabled accounts in Active Directory with details including, time, action performer, and event location.

3. How to enable a disabled user account in Active Directory?

Enabling a disabled user account in Active Directory restores access to network resources. The user can regain access to their data and settings without recreating the account. This is typically done after a temporary disablement for security or administrative reasons.

Enable an Active Directory user using ADUC console

  • Open the Active Directory Users and Computers (ADUC) console.
  • In the left pane, right-click the domain or Organizational Unit (OU) where you want to search and select Find.
  • From the Find drop-down, choose Common Queries.
  • Under the Users tab, check the Disabled accounts option and click Find Now to list disabled user accounts.
  • Right-click the desired disabled user account and select Enable Account to restore access.

Enable a user account in Active Directory using PowerShell

First, run the below cmdlet to find the SAM account name or the distinguished name of the disabled user account that you want to enable .

Get-ADUser -Filter {Enabled -eq $false} -Properties * | Select-Object Name, SAMAccountName, DistinguishedName
enable-user-account-in-ad-powershell

Then, you can use the following PowerShell command to enable a disabled user account by replacing <UserName> with the user's SAM account name or distinguished name.

Enable-ADAccount -Identity "<UserName>"

Effortlessly manage AD user accounts – enable or disable them in just a few clicks with AdminDroid!

  • The AdminDroid’s account disabled users report lists all disabled users with details such as last logon time, OU name, and more.
  • With AdminDroid's management capabilities, you can enable a disabled user directly from the report. To do so, simply select the user(s) and click Enable User.
enable-user-account-in-ad-using-admindroid

Pro Tip: To consistently review disabled accounts in Active Directory, schedule (⏰) this report at specific intervals to identify and safely remove accounts that are no longer needed.

4. How to list enabled users who are currently locked out in Active Directory?

User account lockouts in Active Directory occur after multiple failed logon attempts when lockout policies are in place. Admins can unlock these accounts to restore user access. But you might wonder, “Why manually unlock accounts if they unlock automatically after some time?”

The answer lies in organizational policies—some disable automatic unlocks, while others set long delays before unlocking accounts. In such cases, manual unlocking becomes essential, especially in emergencies. Instead of sifting through all locked accounts, filtering only enabled locked accounts streamlines the process, saving admin time and reducing effort.

Find enabled accounts under currently locked out using ADUC console

  • Open the Active Directory Users and Computers (ADUC) console.
  • Right-click the domain or Organizational Unit (OU) where you want to search and select Find.
  • From the Find drop-down, choose Common Search.
  • In the Advanced tab, enter the following LDAP query: 
    (&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(lockoutTime>=1))
  • Click Find Now to display all enabled user accounts locked out in Active Directory.

List all locked out accounts with enabled status in AD using PowerShell

Run the following PowerShell command to find all enabled users currently locked out in Active Directory:

Get-ADUser -Filter {Enabled -eq $true} -Properties "LockedOut" | Where-Object {($_.LockedOut -eq $true)} | Format-Table
list-all-locked-out-users-in-ad-powershell

The above cmdlet retrieves enabled users who are currently locked out, including details such as distinguished name, name, object GUID, user principal name, and more.

Kickstart Your Journey With
AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities

Download Now
Browse All Guides
User Help Manuals Compliance Docs
All Guides 99+
Active Directory
How to Get all Enabled Users in Active Directory
Active Directory Guides
x
Delivering Reports on Time
Delivering Reports on Time
Want a desired Microsoft 365 reports every Monday morning? Ensure automated report distribution and timely delivery with AdminDroid's Scheduling to your email anytime you need.
Delivering Reports on Time
Schedule tailored reports to execute automatically at the time you set and deliver straight to the emails you choose. In addition, you can customize report columns and add inteligent filtering to the activities just from the previous day to suit your Microsoft 365 report requirements.
Set It, Schedule It, See Results- Your Reports, Your Way, On Your Time!
Time Saving
Automation
Customization
Intelligent Filtering
Give Just the Right Access to the Right People
Give Just the Right Access to the Right People
Grant fine-tuned access to any Microsoft 365 user with AdminDroid’s Granular Delegation and meet your organization’s security and compliance requirements.
Give Just the Right Access to the Right People
Create custom roles loaded with just the right permissions and give access to admins or normal users within AdminDroid. The result? A streamlined Microsoft 365 management experience that aligns your organization's security protocols and saves your invaluable time and effort.
Align, Define, Simplify: AdminDroid's Granular Delegation
Smart Organizational Control
Effortless M365 Management
Simplified Access
Advanced Alerts at a Glance
Advanced Alerts at a Glance
Receive quick notifications for malicious Microsoft 365 activities. Engage with the AdminDroid’s real-time alert policies crafted to streamline your security investigations.
Advanced Alerts at a Glance
Stay informed of critical activities like suspicious emails and high-risk logins, bulk file sharing, etc. Through creating and validating ideal alert policies, AdminDroid provides a comprehensive approach to real-time monitoring and management of potential threats within your organization.
AdminDroid Keeps You Always Vigilant, Never Vulnerable!
Proactive Protection
Real-time Monitoring
Security Intelligence
Threat Detection
Merge the Required Data to One Place
Merge the Required Data to One Place
Combine multiple required columns into one comprehensive report and prioritize the information that matters most to you with AdminDroid’s Advanced Column Customization.
Merge the Required Data to One Place
This column merging capability offers a flexible way to add different columns from various reports and collate all the essential data in one place. Want to revisit the customized report? Save it as a 'View’, and your unique report is ready whenever you need it.
Merge with Ease and Save as Views!
Custom Reporting
Unique View
Desired Columns
Easy Data Interpretation
Insightful Charts and Exclusive Dashboards
Insightful Charts and Exclusive Dashboards
Get a quick and easy overview of your tenant's activity, identify potential problems, and take action to protect your data with AdminDroid’s Charts and Dashboards.
Insightful Charts and Exclusive Dashboards
With AdminDroid charts and dashboards, visualize your Microsoft 365 tenant in ways you've never thought possible. It's not just about viewing; it's about understanding, controlling, and transforming your Microsoft 365 environment.
Explore Your Microsoft 365 Tenant in a Whole New Way!
Executive overviews
Interactive insights
Decision-making
Data Visualization
Efficient Report Exporting for Microsoft 365
Efficient Report Exporting for Microsoft 365
Downloading your reports in the right file format shouldn’t be a hassle with AdminDroid’s Report Export. Experience seamless report exporting in various formats that cater to your needs.
Efficient Report Exporting for Microsoft 365
Navigate through diverse options and export Microsoft 365 reports flawlessly in your desired file format. Tailor your reports precisely as you need them and save them directly to your computer.
Take Control, Customize and Deliver- Your Office 365 Data, Exported in Your Way!
Easy Export
Seamless Downloading
Data Control
Manage Microsoft 365

Get AdminDroid Office 365 Reporter Now!

Free Download Live Demo