This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Dear all,
I'm working on a script that can find disabled user accounts within any Active Directory sub-OU of the domain. I tried the cmdlets Search-ADAccount and Get-ADUser, but it always ends up finding only two disabled user accounts located in the built-in Users OU. No greater luck by using the -SearchBase and -SearchScope parameters to target a specific OU or explicitly perform the search in all the sub-OU's. See image below:
I have read other similar threads, but none of the solutions proposed worked for me.
I can't figure out how to recursively look within sub-OU's and return all the disabled users scattered within them. If I use the console Active Directory Users and Computers to create a new saved query, it works just fine, but I need to automate the task through a PowerShell script: moving all the disabled user accounts to a specific OU before deletion (in any case, I need to first be able to find them).
Any input will be much appreciated. Thanks in advance!
Andrea
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 74%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERM%3C/text%3E%3C/svg%3E)
Are you sure the account you're using to run the cmdlets has the necessary access?
FYI, there's no default "Users" OU. There's a "Users" Container, though. Note that there's no "OU" in the distinguished names in your example.
Thank you @Rich Matheisen ,
It was as easy as running PowerShell ISE as Admin to solve the riddle. Since I was logged in with a domain admin account and since the strings were returning something (those 2 disabled accounts in the built-in Users "container"), I didn't think I needed to run PS ISE with higher privileges.
All 4 command strings you see in my screenshot now work (with or without the specification of a target OU).
Regards.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(140.8, 73%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EK%3C/text%3E%3C/svg%3E)
Get-ADUser -Filter * -Property Enabled | Where-Object {$_.Enabled -like "false"} | ft Name, Enabled -Autosize
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 14.000000000000002%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAG%3C/text%3E%3C/svg%3E)
Hello dear everyone,
How can I filter accounts whose user accounts have been closed within this year?
I will search all accounts, if the account is closed within the date range I specified, the information should be written on the screen. Can you help with this issue.
Your question is different to the OPs question. Create a new question for this if you still want to, but there's no record of when an account is disabled unless you're auditing modifications. The "lastlogon" property may be helpful, but if the account has been modified after being disabled (e.g., removed from a group) then the date will only provide a rough estimation.