0
0
PowershellHow-ToBeginner · 2 min read

PowerShell Script to Get Disabled AD Users Easily

Use the PowerShell command Get-ADUser -Filter 'Enabled -eq $false' -Properties Enabled | Select-Object Name, Enabled to list all disabled Active Directory users.
📋

Examples

InputNo disabled users in AD
OutputNo output or empty list
InputSome users disabled
OutputName Enabled ---- ------- John Doe False Jane Smith False
InputAll users enabled
OutputNo output or empty list
🧠

How to Think About It

To find disabled AD users, you ask Active Directory for users where the Enabled property is false. This filters out all active users and shows only those who are disabled.
📐

Algorithm

1
Connect to Active Directory.
2
Query users with the filter where Enabled equals false.
3
Select user names and their Enabled status.
4
Display the list of disabled users.
💻

Code

powershell
Import-Module ActiveDirectory
$disabledUsers = Get-ADUser -Filter 'Enabled -eq $false' -Properties Enabled | Select-Object Name, Enabled
Write-Output $disabledUsers
Output
Name Enabled ---- ------- John Doe False Jane Smith False
🔍

Dry Run

Let's trace a query where AD has two disabled users: John Doe and Jane Smith.

1

Run Get-ADUser with filter

Get-ADUser -Filter 'Enabled -eq $false' returns John Doe and Jane Smith objects.

2

Select Name and Enabled properties

Select-Object extracts Name and Enabled from each user.

3

Output the list

Write-Output prints the list showing names and Enabled = False.

NameEnabled
John Doefalse
Jane Smithfalse
💡

Why This Works

Step 1: Filtering Disabled Users

The -Filter 'Enabled -eq $false' tells PowerShell to get only users whose Enabled property is false, meaning disabled.

Step 2: Selecting Relevant Properties

Using Select-Object Name, Enabled shows only the user name and their enabled status for clarity.

Step 3: Outputting the Result

The Write-Output command prints the list to the console so you can see which users are disabled.

🔄

Alternative Approaches

Using LDAP filter
powershell
Get-ADUser -LDAPFilter "(userAccountControl:1.2.840.113556.1.4.803:=2)" | Select-Object Name
This uses LDAP syntax to find disabled accounts but is less readable than the Enabled property filter.
Using Where-Object filter
powershell
Get-ADUser -Filter * -Properties Enabled | Where-Object { $_.Enabled -eq $false } | Select-Object Name, Enabled
This gets all users first then filters in PowerShell, which is slower for large directories.

Complexity: O(n) time, O(n) space

Time Complexity

The command queries all users matching the filter, so time grows linearly with the number of users in AD.

Space Complexity

The script stores the filtered user list in memory, so space grows with the number of disabled users.

Which Approach is Fastest?

Filtering directly in Get-ADUser is fastest; filtering later with Where-Object is slower.

ApproachTimeSpaceBest For
Filter in Get-ADUserO(n)O(n)Efficient for large AD environments
Where-Object filteringO(n)O(n)Simple but slower for big data
LDAP FilterO(n)O(n)Advanced LDAP users, less readable
💡
Always import the ActiveDirectory module before running AD commands with Import-Module ActiveDirectory.
⚠️
Forgetting to import the ActiveDirectory module or running the script without proper permissions causes errors.

Related by keyword

PowerShell Script to Swap Two Numbers EasilyPowerShell Number ProgramsPowerShell Script to Extract Substring EasilyPowerShell String ProgramsPowerShell Script to Reverse a String EasilyPowerShell String ProgramsPowerShell Script to Merge Two Arrays EasilyPowerShell Array ProgramsPowerShell Script to Reverse Array EasilyPowerShell Array Programs

Up next

PowerShell Script to Test Network Connectivity QuicklyPowerShell Script to Uninstall Software Easily

More in PowerShell Active Directory Programs

PowerShell Script to Add User to Group EasilyPowerShell Script to Create Bulk Users from CSV FilePowerShell Script to Export AD Users to CSV FilePowerShell Script to Find Inactive AD Accounts Quickly