Disabling Active Directory Users with PowerShell (Generalized)
Disabling Active Directory Users with PowerShell (Generalized)
A guide to efficiently disabling user accounts in specific Organizational Units (OUs) using PowerShell.
Introduction
This document provides a step-by-step guide on how to disable Active Directory (AD) user accounts located within specific Organizational Units (OUs) using PowerShell. This method is non-destructive, meaning the accounts are disabled and not deleted, allowing for easy re-enablement if needed.
We will focus on disabling all users within a 'YourTopLevelOU' and a 'YourNestedOU', assuming 'YourNestedOU' is nested under 'YourParentOU' and 'YourTopLevelOU' is a top-level OU directly under your domain (e.g., 'contoso.com').
ℹ️Prerequisites:
{{info}}
**Prerequisites:** Ensure you are running PowerShell with administrative privileges on a Domain Controller or a machine with the Remote Server Administration Tools (RSAT) for Active Directory installed.
{{/info}}
Rendered HTML (Conceptual - how BookStack *might* style it):
This is how BookStack would typically render the Markdown above, applying its own styles.
Prerequisites:
Ensure
1. Understanding Distinguished Names (DNs)
To target specific OUs, you need their precise Distinguished Name (DN). The DN is a unique identifier that specifies the exact location of an object within the Active Directory hierarchy.
- Your Domain:
yourdomain.com(e.g.,contoso.com) (translates toDC=yourdomain,DC=comorDC=contoso,DC=com) - YourTopLevelOU: This OU is directly under your domain.
DN:OU=YourTopLevelOU,DC=yourdomain,DC=com - YourParentOU: This OU is also directly under your domain.
DN:OU=YourParentOU,DC=yourdomain,DC=com - YourNestedOU: This OU is nested inside the 'YourParentOU'.
DN:OU=YourNestedOU,OU=YourParentOU,DC=yourdomain,DC=com
{{tip}}
**Tip: Verifying DNS:DNs:** To get the exact DN for any object in Active Directory Users and Computers (ADUC), enable "Advanced Features" under the "View" menu. Then, right-click the object, go to "Properties," click the "Attribute Editor" tab, and find the distinguishedName`distinguishedName` attribute. Copy its value directly.
{{/tip}}
Rendered HTML (Conceptual - how BookStack *might* style it):
Tip: Verifying DNs:
To get the exact DN for any object in Active Directory Users and Computers (ADUC), enable "Advanced Features" under the "View" menu. Then, right-click the object, go to "Properties," click the "Attribute Editor" tab, and find the distinguishedName attribute. Copy its value directly.
2. The PowerShell Cmdlet: `Disable-ADAccount`
The primary PowerShell cmdlet used for this operation is Disable-ADAccount. We will combine this with Get-ADUser to retrieve the target users.
Get-ADUser -Filter *: Retrieves all user objects.-SearchBase "Your_OU_DN": Specifies the starting point for the search.-SearchScope Subtree: Crucially, this ensures that not only users directly in the specified OU are found, but also users in any sub-OUs or containers beneath it.| Disable-ADAccount: The pipeline operator sends the retrieved user objects to theDisable-ADAccountcmdlet, which performs the disabling action.
3. Disabling Users in 'YourTopLevelOU'
To disable all user accounts within 'YourTopLevelOU' Organizational Unit, including any users in its sub-OUs, use the following command. Remember to replace YourTopLevelOU, yourdomain, and com with your actual OU and domain names.
PowerShell Command:Command (Markdown):
Get-ADUser -Filter * -SearchBase "OU=YourTopLevelOU,DC=yourdomain,DC=com" -SearchScope Subtree | Disable-ADAccount
{{warning}}
**Important:** This command will disable ALL user accounts found within the specified OU and any OUs nested inside it. Confirm your `SearchBase` is correct before execution.
{{/warning}}
Rendered HTML (Conceptual - how BookStack *might* style it):
Important:
This command will disable ALL user accounts found within the specified OU and any OUs nested inside it. Confirm your `SearchBase` is correct before execution.
4. Disabling Users in 'YourNestedOU'
To disable all user accounts within 'YourNestedOU' Organizational Unit, including any users in its sub-OUs (assuming 'YourNestedOU' is nested under 'YourParentOU'), use this command. Remember to replace YourNestedOU, YourParentOU, yourdomain, and com with your actual OU and domain names.
PowerShell Command:Command (Markdown):
Get-ADUser -Filter * -SearchBase "OU=YourNestedOU,OU=YourParentOU,DC=yourdomain,DC=com" -SearchScope Subtree | Disable-ADAccount
{{warning}}
**Important:** This command will disable ALL user accounts found within the specified OU and any OUs nested inside it. Double-check the `SearchBase` for accuracy.
{{/warning}}
Rendered HTML (Conceptual - how BookStack *might* style it):
Important:
This command will disable ALL user accounts found within the specified OU and any OUs nested inside it. Double-check the `SearchBase` for accuracy.
5. Verification (Optional but Recommended)
Before running the Disable-ADAccount part, you can test the Get-ADUser portion to see which users will be affected. Remove the | Disable-ADAccount part to just list the users:
PowerShell Command (Markdown):
Get-ADUser -Filter * -SearchBase "OU=YourTopLevelOU,DC=yourdomain,DC=com" -SearchScope Subtree | Select-Object Name, DistinguishedName, Enabled
Get-ADUser -Filter * -SearchBase "OU=YourNestedOU,OU=YourParentOU,DC=yourdomain,DC=com" -SearchScope Subtree | Select-Object Name, DistinguishedName, Enabled
After running the `Disable-ADAccount` commands, you can run the verification commands again to confirm that the `Enabled` status for the affected users has changed to `False`.
Conclusion
By following these steps, you can efficiently disable user accounts in specific Active Directory Organizational Units using PowerShell. This approach provides a quick and non-destructive way to manage user access.