question

arokira avatar image
0 Votes"
arokira asked Kailas-6783 answered

Find domain disabled users (in all sub-OU's)

Dear all,

I'm working on a script that can find disabled user accounts within any Active Directory sub-OU of the domain. I tried the cmdlets Search-ADAccount and Get-ADUser, but it always ends up finding only two disabled user accounts located in the built-in Users OU. No greater luck by using the -SearchBase and -SearchScope parameters to target a specific OU or explicitly perform the search in all the sub-OU's. See image below:

45385-screen-shot-2020-12-04-at-50003-pm.png

I have read other similar threads, but none of the solutions proposed worked for me.

I can't figure out how to recursively look within sub-OU's and return all the disabled users scattered within them. If I use the console Active Directory Users and Computers to create a new saved query, it works just fine, but I need to automate the task through a PowerShell script: moving all the disabled user accounts to a specific OU before deletion (in any case, I need to first be able to find them).

Any input will be much appreciated. Thanks in advance!


Andrea


windows-server-powershell
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Are you sure the account you're using to run the cmdlets has the necessary access?

FYI, there's no default "Users" OU. There's a "Users" Container, though. Note that there's no "OU" in the distinguished names in your example.

1 Vote 1 ·
arokira avatar image
0 Votes"
arokira answered arokira edited

Thank you @RichMatheisen-8856 ,

It was as easy as running PowerShell ISE as Admin to solve the riddle. Since I was logged in with a domain admin account and since the strings were returning something (those 2 disabled accounts in the built-in Users "container"), I didn't think I needed to run PS ISE with higher privileges.

All 4 command strings you see in my screenshot now work (with or without the specification of a target OU).

Regards.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Kailas-6783 avatar image
0 Votes"
Kailas-6783 answered

Get-ADUser -Filter * -Property Enabled | Where-Object {$_.Enabled -like "false"} | ft Name, Enabled -Autosize

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.