User and computer domain accounts that haven’t been used in a long time must be disabled by an Active Directory administrator on a regular basis. Even if the user knows the account’s password and it hasn’t expired, disabled accounts can’t log in to the domain.
The Active Directory Users & Computers graphical snap-in can be used to disable a user or machine account in Active Directory (ADUC). To do so, locate the user account in the console, right-click it, and choose Disable Account from the menu.
Or you can open the user’s properties and enable the “Account is disabled” option in the “Account options” section on the “Account” tab.
The PowerShell cmdlet Disable-ADAccount can also be used to disable the Active Directory account.
Install Active Directory for Windows PowerShell and use the command to import it into the PS session:
Import-Module ActiveDirectoryIn order to disable the jbrion user account, run the command:
Disable-ADAccount -Identity jbrion
In order to prompt the account disabling confirmation, you can add the –Confirm parameter.
Check that the account is disabled now (Enabled = False):
Get-ADUser jbrion |select name,enabled
The Disable-ADAccount cmdlet can be used to disable a domain computer as well as a user or service account. As a -Identity argument, you can specify the following AD object parameters:
- Distinguished Name;
- GUID (objectGUID);
- objectSid;.
Hint. To enable an account, use the command:
Get-ADUser jbrion | Enable-ADAccountTo disable all computer accounts in a specific OU:
Get-ADUser -Filter 'Name -like "*"' -SearchBase "OU=Laptops,OU=NY,OU=USA,DC=solutionviews,DC=com" | Disable-ADAccountTo find all disabled computer accounts in the domain, use the command:
Search-ADAccount -AccountDisabled -ComputersOnly|select Name,LastLogonDate,EnabledTo display list user accounts:
Hint. You may learn more about krbtgt, a unique service AD account.
You may disable multiple AD accounts using PowerShell. Create a text file containing a list of the user accounts you want to disable. Then, using the PowerShell script below, you may disable all user accounts from the txt file:
$users=Get-Content c:\ps\users.txt
ForEach ($user in $users)
{
Disable-ADAccount -Identity $($user.name)
}
Similarly, you can disable computer accounts:
$computers= Get-Content c:\ps\computers.txt
ForEach ($computer in $computers)
{
Disable-ADAccount -Identity "$($computer.name)$"
}You can identify all inactive accounts in the domain and disable them all at once with the Search-ADAccount cmdlet. If you wish to disable all users who haven’t logged into the domain in more than three months, for example:
$timespan = New-Timespan -Days 90
Search-ADAccount -UsersOnly -AccountInactive -TimeSpan $timespan | Disable-ADAccount