Find Disabled Users in OU Using PowerShell Script Tutorial

Find Disabled Users in OU Using PowerShell.  When using the Active Directory Users and Computers (ADUC) graphical snap-in, we can navigate through the Organizational Units (OUs) and check if a user is disabled or not. Usually, disabled users are signified with a downward black arrow. However, if we have a large organization with many OUs and need to check all of the disabled users one by one, the task on hand can be tedious.

So, in this article, we will discuss how to query disabled users in active directory faster and easier using PowerShell scripting.

PowerShell Find Disabled Users in OU

Find Disabled Users in AD Using PowerShell

Installing the Active Directory Module

Prerequisites

We will need the following modules, components, or tools installed in our server or machine for us to follow along in this guide:

  • Remote Server Administration Tools (RSAT) for Windows
  • Active Directory Module for PowerShell
  • A logged-in user account with Active Directory read and write rights
  • and a domain-joined computer or server that will run the PowerShell scripts

Before proceeding with querying Active Directory objects using Active Directory commands in PowerShell, it is important that we install the Active Directory module first. Executing Active Directory commands without the module being installed or imported will throw an error.

Normally, executing the Install-Module ActiveDirectory snippet in our PowerShell console should fetch the package from a remote CDN or Content Delivery Network like the PowerShell Gallery and install it on our server or workstation. However, the AD module is a special case. Before installing the AD Module, we must install a pre-requisite package called RSAT or the Remote Server Administration Tools.

The RSAT enables us, IT server administrators, to remotely manage roles and features on a Windows Server. These said tools include managing a domain controller with Active Directory Domain Services or AD DS role installed in the server. We can install this through the GUI method, but for this article, we will show you the scripting method for installing RSAT on our server or workstation using PowerShell.

Kindly take note that the scripts below are for Windows 10 and later (for workstation), and Windows Server 2008 and later (for servers):

				
					# For Workstation
Add-WindowsCapability -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0 -Online

# For Server
Import-Module ServerManager
Install-WindowsFeature -Name "RSAT-AD-PowerShell" -IncludeAllSubFeature
				
			

To check if the Active Directory module has been installed propertly, run the following syntax below to import it into our current PowerShell session. Also, make sure that the current PowerShell session has been started with administrator privileges.

				
					Import-Module ActiveDirectory
				
			

Once the module is imported correctly with no thrown errors, we can now start managing our active directory using PowerShell.

Get Disabled Users in PowerShell

Disabling a user in Active Directory prohibits the account owner from logging in to the domain or the network. Usually, this method is done as a form of security prevention when revoking access to a user due to unusual behavior or termination inside an organization. To disable a user, we can right-click on the user object and select “Disable Account”, or double-click the user object and check the “Account is Disabled” checkbox.

Once the user is disabled, a small downward arrow icon will appear on the user object. Checking disabled users in a single OU is simple, however, it gets more tedious if we need to check for all users in different OU locations. So, let’s create a PowerShell script by using different active directory commands to make the process easier.

Search-ADAccount

The Search-ADAccount may possibly be one of the most useful commands within the active directory module. The Search-ADAccount command retrieves one or more active directory object that meet the criteria specified by parameters. This command includes searching of disabled active directory objects by using the AccountDisabled parameter.
				
					Search-ADAccount –AccountDisabled
				
			

However, running the snippet of code above will output every active directory objects that are in disabled status. Remember, in active directory, we can not only disable users but computers as well. If we only want to display disabled user accounts, we must use the UsersOnly parameter.

				
					Search-ADAccount -AccountDisabled -UsersOnly
				
			

We can use the ComputersOnly parameter if we want to display disabled computers instead. Now, if we want to narrow down our search even more, like perhaps to a specific organizational unit (OU), we can use the SearchBase and SearchScope parameters. 

The SearchBase parameter accepts an Active Directory OU path as its string data type value. By adding the parameter, we can display all of the disabled users on a specific OU. An Organizational Unit is a container used within the Active Directory that can hold users, groups, and computers.

				
					Search-ADAccount -AccountDisabled -UsersOnly -SearchBase "OU=Marketing,OU=UserAccounts,DC=TEST,DC=COM"
				
			

Meanwhile, the SearchScope parameter is similar to the Recursive parameter to search for child objects. The Recurse or Recursive parameter in PowerShell instructs the PowerShell command to repeat its operations on child or sub-directories. The below syntax has a SearchScope parameter value of 2, which tells the Search-ADAccount command to recursively look at all children, grandchildren OUs.

				
					Search-ADAccount -AccountDisabled -UsersOnly -SearchBase "OU=Marketing,OU=UserAccounts,DC=TEST,DC=COM" -SearchScope 2
				
			

Get-ADUser

Since we are primarily targeting user objects in our active directory, it is also best that we use the Get-ADUser command. According to the official Microsoft documentation, the Get-ADUser cmdlet gets a specified user object or performs a search to get multiple user objects. With that, the command can also search for users in the disabled state.

To achieve this, we will be using the Filter parameter alongside the Get-ADUser command. The Filter switch parameter can limit results by any active directory attribute such as name, email address, group type, last login for users, etc. Also, the parameter acts similarly to the Where-Object command, wherein the parameter accepts a conditional statement to narrow down search results.

				
					Get-ADUser -Filter "*"
				
			

The snippet above will still display all of the users in the organization. So, we need to fill in the correct conditional statement to output disabled user accounts. To achieve this, we can use the Enabled property.

Active directory user objects have the Enabled property, which has a boolean value of either True or False. If the user’s Enabled property is set to True, it means the user is active. Meanwhile, the active directory user is disabled if the Enabled property is False.

Now that we know what property to use to filter the search results, we can create our code snippet. The syntax below will only display users that are in disabled status. This is possible by matching the Enabled property to the $False with the comparison operator Equals (-eq).

				
					Get-ADUser -Filter "Enabled -eq $False"
				
			

Like the Search-ADAccount command, the Get-ADUser also has the SearchBase and SearchScope parameters to narrow down search results to target a specific organizational unit.

				
					Get-ADUser -Filter "Enabled -eq $False" -SearchBase "OU=HR,OU=UserAccounts,DC=TEST,DC=COM" -SearchScope 2
				
			

One of the many advantages of PowerShell is that we can append several commands to achieve a particular task using the Pipelines. For example, instead of using the Filter parameter, we can use our previously mentioned Where-Object command and pipe it to Get-ADUser. Therefore, we need to transfer the conditional statement to the Where-Object clause instead of the Filter parameter.

To append multiple commands to the pipeline, we can use the pipeline operator (|). We also need to use the THIS ($_) token that will get the Enabled property from the current result in the pipeline. The script will then match the current result to the conditional statement to check if the user is Enabled or not.

				
					Get-ADUser -Filter "*" -SearchBase "OU=HR,OU=UserAccounts,DC=TEST,DC=COM" -SearchScope 2 | Where-Object {$_.Enabled -eq $False}
				
			

PowerShell Find Disabled Users in OU Conclusion

This article discussed how to install the Remote Administration Tools and the Active Directory module for PowerShell. Next, we need the active directory module to be imported to run a couple of commands that give us all the active directory user objects in disabled status. Finally, we have refined our script to only output disabled users in a specific organizational unit.

Avatar for Marion Mendoza
Marion Mendoza

Windows Server and VMware SME. Powershell Guru. Currently working with Fortune 500 companies responsible for participating in 3rd level systems support across the enterprise. Acting as a Windows Server engineer and VMware Specialist.

0 0 votes
Article Rating
Subscribe
Notify of
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x