How to Disable an Active Directory Account Using PowerShell
Use the
Disable-ADAccount cmdlet in PowerShell to disable an Active Directory user account. You need to specify the user account by its Identity, such as username or distinguished name.Syntax
The basic syntax to disable an AD account is:
Disable-ADAccount -Identity <UserIdentifier>: Disables the specified user account.-Identity: Specifies the user by username, distinguished name, GUID, or SID.
powershell
Disable-ADAccount -Identity "username"Example
This example disables the AD user account with username jdoe. It shows how to run the command and the expected output.
powershell
Disable-ADAccount -Identity "jdoe" Write-Output "User jdoe has been disabled."
Output
User jdoe has been disabled.
Common Pitfalls
Common mistakes include:
- Not running PowerShell as an administrator or without the required Active Directory module.
- Using the wrong
-Identityvalue that does not match any user. - Trying to disable an account without proper permissions.
Always verify the user exists with Get-ADUser before disabling.
powershell
Get-ADUser -Identity "jdoe" Disable-ADAccount -Identity "jdoe"
Quick Reference
| Parameter | Description |
|---|---|
| -Identity | Specifies the user account to disable (username, DN, GUID, SID) |
| Disable-ADAccount | Cmdlet to disable the AD user account |
| Get-ADUser | Cmdlet to check if the user exists before disabling |
| Run as Administrator | Required to execute AD commands successfully |
Key Takeaways
Use Disable-ADAccount with the -Identity parameter to disable an AD user.
Verify the user exists with Get-ADUser before disabling.
Run PowerShell as administrator with Active Directory module loaded.
Ensure you have the necessary permissions to modify AD accounts.