I was doing some volunteer work recently when it came to my attention that there was a large number of enabled users in their Active Directory environment. This number was far greater than the amount of active employees. In order to address this, we took a simple approach:
- Export a list of enabled users.
- Have those with institutional knowledge review the list to determine who should be disabled.
- Use this second list to quickly and systematically disable the appropriate users.
Of course, I turned to my favorite friend, PowerShell, to help accomplish the task. The commands I used are below. They are very straight-forward, but hopefully by posting them here I can save someone else a few moments of searching. Hope this helps!
(Side note, you can use the same process in reverse to enable a list of disabled users.)
The Commands
The first command searches Active Directory for enabled users, selects the Name and SamAccountName of those users (for ease of review by those with business knowledge), and writes them to a text file.
Get-ADUser -filter 'Enabled -eq "True"' | Select-Object Name, SamAccountName | Out-File .\EnabledUsers.txt
Once the final, reviewed file is ready, use your favorite text editor to remove everything but the SamAccountName values (I prefer VS Code). Then use the second command to import that file and disable all of the listed accounts.
Get-Content .\DisableUsers.txt | Disable-ADAccount
And voila! You’ve quickly and easily disabled a large number of potential threat vectors. Sleep a little easier tonight.
In my situation I already have a list of Users, not user names. Do you know of a better way to have powershell look through that list of users and disable the ones that it finds?
That’s a good question. When you say a list of users, how are they listed? First name and last name? Something else? If it’s something unique that can be matched to an AD field, then it can still work.