Export List of Disabled Users from Active Directory Find & Filter Users
Admins often need to export list of disabled users from Active Directory to either re-enable them or delete them permanently. It is important to know that disabled users are kept in a permanent stasis, which means they are still part of the AD. If timely detection is not made, such accounts might pose a security vulnerability. Therefore, in this write-up, we are going to provide you with multiple ways by which you can easily export disabled users from Active Directory to CSV format. We’ll cover approaches using PowerShell, automated tools, and other techniques.
Table of Content
Exporting the list of disabled users from AD becomes crucial because anyone with admin privileges may enable the wrong account and thus allow it the resources that it was not supposed to use. This is especially true if your organization recently completed a project in partnership with external agents.
Apart from this, regular cleanup of an AD comes under every compliance model. It is during such procedures that administrators might need a way to find the users whose login has been revoked and find what OU a user is in. Luckily, there is more than one identification method available for use. So let us see how PowerShell commands and scripts handle this.
How to Find Disabled Users in Active Directory Using PowerShell?
Even within PowerShell, multiple variations exist; the first one we are about to tell you is a script. Run it to get the enable/disable data inside a PowerShell Module itself.
# Import the Active Directory module
Import-Module ActiveDirectory
# Get all disabled users
$disabledUsers = Get-ADUser -Filter { Enabled -eq $false } -Properties DisplayName, SamAccountName
# Display the properties of the disabled users
$disabledUsers | Select-Object DisplayName, SamAccountName
Explanation of the script
- Import-Module ActiveDirectory: Imports the Active Directory module to use its cmdlets.
- Get-ADUser -Filter { Enabled -eq $false } -Properties DisplayName, SamAccountName: Retrieves all users with the Enabled property set to False and fetches additional properties such as DisplayName and SamAccountName.
- Select-Object DisplayName, SamAccountName: Selects and displays the specified properties of the disabled users.
Finding out the exact date when disable took place may not be possible as there is no PowerShell command for that. A workaround is to run the tracker every day and compare the results from the previous day.
Apart from PowerShell, administrators can also get the list of all disabled user accounts in a domain from the command line
Hold the Windows + R key together and in the run module type cmd.
In the command line interface, paste the following query:
C:\Users\Administrator>dsquery user -o samid -disabled
This is a strict view-only result.
Active Directory offers some in-built GUI-based modules that can also be used to get the list of disabled accounts.
If PowerShell isn’t your forte, and you don’t want to deal with the command line then you can very well use the Active Directory Users and Computers (ADUC) module. This is a part of all Windows Active Directory (AD) environments.
Using ADUC to Export List of Disabled Users from Active Directory
As it is usually best practice to make a separate OU for holding disabled users, we start from there.
Step 1. Create Disabled Users OU
- Launch ADUC snap-in.
- Click on the New OU icon or right-click on the domain > New > Organizational Unit.
- Type a name (e.g., Disabled-Users) and click OK.
Step 2. Find and Put Disabled Users in the OU
- Right-click on the Domain
- Select Find…
- Expand the Find Dropdown and Select Common Queries.
- Under the Users tab, mark the “Disabled accounts” filter > Click on Find Now.
- In the search, select the first account. Scroll down, hold the Shift key, and click on the last result.
- Right-click and select Move.
- From the dialog box, select the disabled-users OU > Press OK.
Step 3. Export the Disabled Users List in CSV format
- Go to disabled-users OU > Press Ctrl + A to select all
- Click on the Export list icon from the toolbar.
- Choose a location, Type a file name, and select the CSV option from the dropdown.
- Press Save.
You can find the resultant list in the pre-set location. Administrators also have a faster way to get a similar result via ADAC. Let us see how.
- Step 1. Open Active Directory Admin Center (ADAC)
- Step 2. Click on Global Filter
- Step 3. Toggle Convert to LDAP option.
- Step 4. Paste the query.
(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))
- Step 5. Click on Apply.
- Step 6. Select the Results > Press Ctrl + C > Paste in a Spreadsheet or Notepad.
Even with ADUC or ADAC administrators may face some problems, like being attached to the workstation on which the AD resides. This is quite cumbersome but don’t worry, as we have just the right fit.
Professional Way to Get Report of Disabled User Data from AD
The tool we have is none other than SysTools AD Reporter Software. It comes with an easy-to-learn and quick-to-deploy design. Its UI is simple, with which you can add your AD environment from any workstation. An in-depth filtering system allows you to bypass the PowerShell script to find user accounts disabled in the last 7 days. Additionally, using this tool you can also check the last password change in Active Directory. Check out this small list of steps to get all the disabled user data.
Step 1. Launch the tool and use the temporary (administrator) credentials to log in.
Step 2. Click on the “REGISTER DOMAIN NAME” button on your screen.
Step 3. Add a name and enter the IP on which the AD resides. Press Save and Continue.
Step 4. On the Domain Details page, validate the admin credentials. After that, open the Report tab.
Step 5. In the Report Section, there are multiple options to choose from. To view the full range of available object categories you have to scroll. You can also generate an Active Directory group membership report.
Step 6. Choose the Disabled Users option under the User section. Apply the duration (either the premade timespans or a custom range).
Step 7. Click on Preview to see what the data is going to look like.
Step 8. If it is as per your requirement, press the Download button and select CSV.
Step 9. In the window select where you want to put this data.
Step 10. View and share the CSV report.
Conclusion
In this write-up, we taught you multiple ways to export list of disabled users from Active Directory. We saw that disabled users were present in the AD until manual removal. Moreover, to secure the environment, admins must have a user list in a shareable format. Among the multiple methods for it, the tool we suggested above is the most optimal choice.
Frequently Asked Questions Regarding User Account Disabling
Q. Which Event IDs are associated with the user account disabling process?
Check the Event Viewer for the following IDs:
Event ID 531: This event is logged in the Security event log when a user attempts to log in, but the account they are trying to log in with is disabled in Active Directory.
Source: Security
Description: “Logon Failure – Account currently disabled.”
Logon Type: 3 (Network)
Reason: Indicates a logon failure due to an account being disabled.
Event ID 4725: This event is logged when a user account is disabled.
Source: Security
Description: “A user account was disabled.”
Reason: The account was manually disabled by an administrator.
Event ID 4738: This event is logged when a user account is changed. If a user account is disabled as part of this change, it will be noted in the event details.
Source: Security
Description: “A user account was changed.”
Reason: The account status was changed, possibly including disabling the account.
Q. Is there a way to visually distinguish between a disabled and active user account?
Disabled user accounts can be identified by a small black arrow pointing downward on top of the regular user icon. However, the icons are too small so it’s better to rely on the automated utility and directly get a list of disabled accounts.
Q. What is the difference between a disabled user and an expired user account?
Refer to the following table:
| Feature | Disabled User | Expired User |
| Login Attempt | Fails – “Account disabled” message | Fails – “Account expired” message |
| Reactivation | Requires manual intervention by the administrator | The administrator can reset the expiry date to reactivate |
| Use Case | – Temporary account suspension
– User left company |
– Temporary employee/contractor access
– Seasonal/project-based accounts |
| Event ID | 531 | 532 |