Many organizations, at some point in time, require contractors or third parties to work alongside their employees and they are given the required privileges through a user account in Active Directory to do their job.
Once the job is complete, it is important to disable the associated AD user or service account for security purposes. However, those disabled accounts represent a serious threat as they can be re-enabled and misused by attackers seeking access to Active Directory, Windows servers and other AD-integrated systems. Therefore, it is crucial to have visibility over all disabled user accounts in Active Directory so that they can then be deleted in a timely fashion to maintain the security of your IT environment.
Consequently, finding disabled user accounts in an Active Directory domain is a frequently run query in the daily admin management tasks.
Checking a single Active Directory account is straightforward using Active Directory Users and Computers. However, retrieving the properties of multiple users can be very time-consuming. You can choose to run PowerShell scripts and PowerShell cmdlets to get a list of disabled users and then export that list to a CSV file. However, that method requires Windows PowerShell scripting skills, and in large environments, exporting user objects to CSV using PowerShell can be time consuming.
In this guide, the steps to get a list of disabled Active Directory users natively are explained. However, native auditing does have several drawbacks and a solution to this which provides an easier, more straightforward way to do this, is to use Lepide Auditor for Active Directory which is explained at the end of this article.
Get Disabled AD Users using PowerShell
The Get-ADUser cmdlet is part of the Active Directory PowerShell module, which means that you will need to import the module to your domain controller using the following command:
Import-Module ActiveDirectory
Open the PowerShell ISE on any of your domain controllers and run one of the scripts below:
Get-ADUser -Filter * -Property Enabled |
Where {$_.Enabled -like "False"} |
FT Name, Enabled -AutoSize |
Export-Csv -Path C:\data\Disabled_Users5.csv -NoTypeInformation
Open the file produced by the script in MS Excel:
Note: If you want to see the results in command prompt output instead, leave out the Export-CSV part of the script.
Using Lepide Active Directory Auditor
The native method for reporting on Disabled Users is both complex and time consuming. A more straightforward approach is to use Lepide Auditor for Active Directory. The Lepide AD auditing solution makes it easy to get a list of user accounts that are disabled, without the need to have any knowledge of PowerShell scripting.
To run the All Disabled Users Report:
- From the States & Behavior screen, expand the Active Directory component and click on All Users
- From the Account Status filter, choose Disable and click Generate Report
- The report is generated showing all disabled user accounts.
- The report can be grouped, filtered, saved and exported