When the need arises to query (search) for disabled users in Active Directory in very large environments where there are a lot of organization units etc., there are few ways to go about it. This process is relatively very easy to find using the Active Directory Administrative Center.
On how to detect who disabled a user in Active Directory – Best Monitoring Tools and Software https://techdirectarchive.com/2020/03/19/how-to-detect-who-disabled-a-user-in-active-directory-best-monitoring-tools-and-software/
To demonstrate this, I will proceed to disable some users in my test lab as shown below.
This will let you know that the object has been disabled as shown below
Now we have some users deleted as shown below.
Note: To mitigate against this process in the future, it is best practice to have a container created and dedicated for housing disabled users only. below are some procedures to achieve this
PowerShell: This will run the below cmdlets return disabled accounts.
– This will display the list of disabled users with other user account parameters (attributes) as shown in the image below.
Search-ADAccount -AccountDisabled
To return only the username of disabled users, run the following cmdlets as shown below.
Get-ADUser -Filter {Enabled -eq $false} | FT samAccountName
Common Queries: I will be demonstrating this using the common queries
Open “Active Directory User and Computer” console as shown below
– Click on Tools and
– Select Active Directory User and Computer
Click on “Find object in Active Directory Domain Services”
Under the Find drop down menu, select “Common Queries”
– Select Disabled account
– And click on find now as shown below
This will display a list of disabled account in your Active Directory enviornment as shown below.
Via Saved Queries: The below steps are used in displaying disabled users in Active directory environment.
Launch the Active Directory User and Computer Console
– Right-click on “Saved Queries”
– Click on New
– Click on Query
This will open the “New Query” properties window.
– Enter the Query name
– Click on Define Query
Select Disabled Account and
– Click on Ok
This will display a list of disabled account as shown below as a saved query.
Ensure you have a procedure in place to delete disabled accounts after a certain period of time in order not to have a messy Active directory environment.