PowerShell Script to Disable User Account Easily
Use the PowerShell command
Disable-ADAccount -Identity 'username' to disable a user account in Active Directory.Examples
InputDisable-ADAccount -Identity 'jdoe'
OutputDisabled user account 'jdoe'.
InputDisable-ADAccount -Identity 'alice.smith'
OutputDisabled user account 'alice.smith'.
InputDisable-ADAccount -Identity 'nonexistentuser'
OutputError: Cannot find an object with identity 'nonexistentuser'.
How to Think About It
To disable a user account, you need to identify the user by their username and then use a command that marks their account as disabled in the system. The PowerShell cmdlet
Disable-ADAccount does exactly this by taking the username and disabling the account in Active Directory.Algorithm
1
Get the username of the account to disable.2
Check if the user exists in Active Directory.3
If the user exists, run the command to disable the account.4
Confirm the account is disabled or show an error if not found.Code
powershell
Import-Module ActiveDirectory $username = 'jdoe' try { Disable-ADAccount -Identity $username Write-Output "Disabled user account '$username'." } catch { Write-Output "Error: $_" }
Output
Disabled user account 'jdoe'.
Dry Run
Let's trace disabling the user 'jdoe' through the script.
1
Set username
$username = 'jdoe'
2
Run Disable-ADAccount
Disable-ADAccount -Identity 'jdoe'
3
Output result
Write-Output "Disabled user account 'jdoe'."
| Step | Action | Value |
|---|---|---|
| 1 | Set username | jdoe |
| 2 | Disable account | Success |
| 3 | Output message | Disabled user account 'jdoe'. |
Why This Works
Step 1: Import Active Directory Module
The script starts by loading the Active Directory module with Import-Module ActiveDirectory so it can use AD commands.
Step 2: Disable the User Account
The Disable-ADAccount cmdlet disables the user account identified by the username.
Step 3: Handle Errors
If the user does not exist, the try/catch block catches the error and outputs a friendly message.
Alternative Approaches
Using Set-ADUser to disable account
powershell
Import-Module ActiveDirectory $username = 'jdoe' try { Set-ADUser -Identity $username -Enabled $false Write-Output "Disabled user account '$username' using Set-ADUser." } catch { Write-Output "Error: $_" }
This method uses <code>Set-ADUser</code> to disable the account by setting <code>-Enabled $false</code>. It is more flexible for other user property changes.
Using ADSI for environments without ActiveDirectory module
powershell
$username = 'jdoe' $user = [ADSI]("LDAP://CN=$username,OU=Users,DC=domain,DC=com") $user.AccountDisabled = $true $user.SetInfo() Write-Output "Disabled user account '$username' using ADSI."
This approach uses ADSI to disable the account directly but requires correct LDAP path and permissions.
Complexity: O(1) time, O(1) space
Time Complexity
Disabling a user account is a single operation with no loops, so it runs in constant time.
Space Complexity
The script uses a fixed amount of memory for variables and commands, so space complexity is constant.
Which Approach is Fastest?
Both Disable-ADAccount and Set-ADUser run quickly; ADSI may be slightly slower due to manual LDAP handling.
| Approach | Time | Space | Best For |
|---|---|---|---|
| Disable-ADAccount | O(1) | O(1) | Simple disabling of AD user accounts |
| Set-ADUser -Enabled $false | O(1) | O(1) | Disabling plus other user property changes |
| ADSI method | O(1) | O(1) | Environments without ActiveDirectory module |
Always run PowerShell as administrator and ensure you have the right permissions to modify user accounts.
Beginners often forget to import the Active Directory module before running
Disable-ADAccount.