How to Get a List of Disabled Users in AD with or without PowerShell

Native Auditing vs. Netwrix Auditor for Active Directory

Native Auditing Netwrix Auditor for Active Directory

Native Auditing

Netwrix Auditor for Active Directory

Steps

Prerequisite: Since both the Search-ADAccount and Search-ADAccount cmdlets are part of the Active Directory PowerShell module, you will need to import the module to your domain controller using the following command:

Import-Module ActiveDirectory

1. Open the PowerShell ISE on any of your domain controllers→ Run one of the scripts below, paying close attention to the properties used:

Using the Get-ADUser cmdlet:

Get-ADUser -Filter {(Enabled -eq $False)} -ResultPageSize 2000-ResultSetSize $null -Properties Name, LastLogon | Export-CSV “C:\Temp\DisabledUsers.CSV” –NoTypeInformation

Using the Search-ADAccount cmdlet:

Search-ADAccount –AccountDisabled –UsersOnly –ResultPageSize 2000 –ResultSetSize $null | Select-Object SamAccountName, DistinguishedName | Export-CSV “C:\Temp\DisabledUsers.CSV” –NoTypeInformation

2. Open the file produced by the script in MS Excel.

get disabled user with powershell: report generated in MS Excel

If you want to see the results in command prompt output instead, drop the Export-CSV portion of the script.

Run Netwrix Auditor → Navigate to “Reports” → Expand the “Active Directory” section → Go to “Active Directory – State-in-Time” → Select “User Accounts” → Click “View” → Set the “Status” parameter to “Disabled” → Click “View Report”.
To save the report, click the "Export" button → Choose a format from the dropdown menu → Click “Save”.

get disabled users with Netwrix Auditor: User Accounts Report

Find Disabled Users in AD and Export the Results in a Few Clicks, Instead of Scripting in PowerShell

When an employee leaves the company or an application is no longer needed, it is important to deactivate the associated AD user or service account for housekeeping and security purposes. But those disabled accounts represent a serious threat — they can be re-enabled and exploited by attackers seeking access to Microsoft Active Directory, Windows servers and other AD-integrated systems. Therefore, it’s critical to know about all disabled user accounts in your Active Directory and delete them in a timely fashion to harden the security of your IT environment. As a result, finding disabled user accounts in an Active Directory domain is a common query in the daily admin management routine.

Checking a single AD account is straightforward using ADUC. However, retrieving the properties of users in bulk that way can be very time-consuming. You can opt to use PowerShell scripts and PowerShell cmdlets to get a list of disabled users and export that list to a CSV file. However, that approach requires Windows PowerShell scripting skills, and in large environments, exporting user objects to CSV using PowerShell can still take quite a lot of time .

Netwrix Auditor for Active Directory makes it easy to quickly get users that are disabled, listed with important details, such as the specific OU that the account belongs to and its last logon timestamp — without the need to craft a single script in PowerShell. You can quickly filter the results and export the list of disabled user accounts to any of multiple output file formats, including CSV. Then you can easily identify any user accounts that are no longer needed and can be deleted as part of your IT housekeeping procedures. You can even subscribe to the report to stay current on disabled user accounts without lifting a finger. Netwrix Auditor also empowers you to search for any events in your whole audit trail across integrated systems, and to create custom reports and alerts based on your requirements to further harden your security.

Previous How-to

How to Get Local Administrators with or without PowerShell

Next How-to

How to Get Local Users with or without PowerShell