I’ve written about Get-ADUser several times before because it is a pretty essential cmdlet for any Active Directory administrator, but I haven’t written about it in a while.
Recently I had a need to list all disabled accounts in a domain, so here is how to do it using Get-ADUser.
As a quick recap, to view the available options with Get-ADUser type.
help Get-ADUser
Next we want to find out the full list of properties Get-ADUser can give us so we can identify the specific property to search for. Pick a user at random and type:
Get-ADUser -identity username -properties *
Look for the Enabled property, as this is what we are going to search on.
Next type:
Get-ADUser -Filter * -Property Enabled | FT Name, Enabled -Autosize
So here you can see a list of all accounts, and whether they are disabled or not.
To only list the disabled accounts we need to use the Where-Object cmdlet.
Type:
Get-ADUser -Filter * -Property Enabled | Where-Object {$_.Enabled -like “false”} | FT Name, Enabled -Autosize
Resources
Get-ADUser can be found here: http://technet.microsoft.com/en-us/library/ee617241.aspx
Where-Object can be found here: http://technet.microsoft.com/en-us/library/ee177028.aspx
Format-Table can be found here: https://msdn.microsoft.com/en-us/powershell/reference/5.1/microsoft.powershell.utility/format-table
What the heck is $_ can be found here: https://technet.microsoft.com/en-us/library/ee677578.aspx
Related Get-ADUser Posts:
1. PowerShell: Get-ADUser to retrieve logon scripts and home directories – Part 1
2. PowerShell: Get-ADUser to retrieve logon scripts and home directories – Part 2
3. PowerShell: Get-ADUser to retrieve password last set and expiry information
4. PowerShell: How to add all users in an OU to a Security Group using Get-ADUser and Add-ADGroupMember
Not a good query. Now you first get all users, then get the disabled ones.
Better is : Get-ADUser -Filter ‘Enabled -EQ $false’
This fetches only the accounts you are looking for.
Search-ADAccount -AccountDisabled
is more accurate