header image

Find user accounts that are disabled

Posted by: | February 4, 2012 | 4 Comments |

Many organisations disable user accounts when a user leaves – often those accounts will remain cluttering AD for years.  How can we find them?

Get-ADUser -LDAPFilter {(useraccountcontrol:1.2.840.113556.1.4.803:=2)} |             
select Name, DistinguishedName |             
Format-Table Name, DistinguishedName            
"`nAD provider"            
Get-ChildItem -Filter "(&(objectclass=user)(objectcategory=user)(useraccountcontrol:1.2.840.113556.1.4.803:=2))" `
 -Path Ad:\"DC=Manticore,DC=org" -Recurse |            
Format-Table Name, DistinguishedName            
Get-QADUser -Disabled -SizeLimit 3000 |            
Format-Table Name, DN            
$root = [ADSI]""            
$search = [adsisearcher]$root            
$search.Filter = "(&(objectclass=user)(objectcategory=user)(useraccountcontrol:1.2.840.113556.1.4.803:=2))"            
$search.SizeLimit = 3000            
$results = $search.FindAll()            
foreach ($result in $results){            
    $result.Properties |             
    select @{N="Name"; E={$_.name}}, @{N="DistinguishedName"; E={$_.distinguishedname}}            

You’ll notice that (useraccountcontrol:1.2.840.113556.1.4.803:=2) appears in three out of the four results. This is an LADP filter that is testing to see if the disable bit (2) is set in the useraccountcontrol property. Its ugly but it works. The quest cmdlet has a nice disabled switch (it also has an –enabled switch to only retrieve enabled accounts)

under: PowerShell and Active Directory


  1. By: Noobie on March 2, 2012 at 9:03 am      

    Get-ADUser -filter * | where { $_.enabled -eq $False}

    …or do it in one line.

  2. By: RichardSiddaway on March 2, 2012 at 12:57 pm      

    Your solution works but I am trying to introduce LDAP filters in as many places as possible as they are a point that is not well understood – especially when they get complex.

    I am also trying to have some consistency across the solutions

    The method I have given performs its filtering on the domain controller and only returns disabled accounts – your solution returns all users and the reasults are filtered on the client. This involves more network traffic – it is always better to filter at source.

    I did make a mistake in leaving the select statement in but my Microsoft cmdlet solution is still a singel line. I have found that breaking the lines at the pipe symbol makes the code more readable

  3. By: Ratheesh on November 15, 2012 at 1:27 pm      

    need power shell script to find who disabled the user id.

  4. By: Rossell on April 8, 2013 at 4:27 pm      

    Excelent post, congratulations!


  1. My Homepage