Categories

Find user accounts that are disabled

Many organisations disable user accounts when a user leaves – often those accounts will remain cluttering AD for years.  How can we find them?

"`nMicrosoft"            
Get-ADUser -LDAPFilter {(useraccountcontrol:1.2.840.113556.1.4.803:=2)} |             
select Name, DistinguishedName |             
Format-Table Name, DistinguishedName            
             
"`nAD provider"            
Get-ChildItem -Filter "(&(objectclass=user)(objectcategory=user)(useraccountcontrol:1.2.840.113556.1.4.803:=2))" `
 -Path Ad:\"DC=Manticore,DC=org" -Recurse |            
Format-Table Name, DistinguishedName            
            
"`nQuest"            
Get-QADUser -Disabled -SizeLimit 3000 |            
Format-Table Name, DN            
            
"`nScript"            
$root = [ADSI]""            
$search = [adsisearcher]$root            
$search.Filter = "(&(objectclass=user)(objectcategory=user)(useraccountcontrol:1.2.840.113556.1.4.803:=2))"            
$search.SizeLimit = 3000            
$results = $search.FindAll()            
            
foreach ($result in $results){            
    $result.Properties |             
    select @{N="Name"; E={$_.name}}, @{N="DistinguishedName"; E={$_.distinguishedname}}            
}


You’ll notice that (useraccountcontrol:1.2.840.113556.1.4.803:=2) appears in three out of the four results. This is an LADP filter that is testing to see if the disable bit (2) is set in the useraccountcontrol property. Its ugly but it works. The quest cmdlet has a nice disabled switch (it also has an –enabled switch to only retrieve enabled accounts)

4 Responses to Find user accounts that are disabled

  • Noobie says:

    Get-ADUser -filter * | where { $_.enabled -eq $False}

    …or do it in one line.

  • RichardSiddaway says:

    Your solution works but I am trying to introduce LDAP filters in as many places as possible as they are a point that is not well understood – especially when they get complex.

    I am also trying to have some consistency across the solutions

    The method I have given performs its filtering on the domain controller and only returns disabled accounts – your solution returns all users and the reasults are filtered on the client. This involves more network traffic – it is always better to filter at source.

    I did make a mistake in leaving the select statement in but my Microsoft cmdlet solution is still a singel line. I have found that breaking the lines at the pipe symbol makes the code more readable

  • Ratheesh says:

    need power shell script to find who disabled the user id.

  • Rossell says:

    Excelent post, congratulations!

Leave a Reply