I was doing some volunteer work recently when it came to my attention that there was a large number of enabled users in their Active Directory environment. This number was far greater than the amount of active employees. In order to address this, we took a simple approach:
- Export a list of enabled users.
- Have those with institutional knowledge review the list to determine who should be disabled.
- Use this second list to quickly and systematically disable the appropriate users.
Of course, I turned to my favorite friend, PowerShell, to help accomplish the task. The commands I used are below. They are very straight-forward, but hopefully by posting them here I can save someone else a few moments of searching. Hope this helps!
(Side note, you can use the same process in reverse to enable a list of disabled users.)
The Commands
The first command searches Active Directory for enabled users, selects the Name and SamAccountName of those users (for ease of review by those with business knowledge), and writes them to a text file.
Get-ADUser -filter 'Enabled -eq "True"' | Select-Object Name, SamAccountName | Out-File .\EnabledUsers.txt
Once the final, reviewed file is ready, use your favorite text editor to remove everything but the SamAccountName values (I prefer VS Code). Then use the second command to import that file and disable all of the listed accounts.
Get-Content .\DisableUsers.txt | Disable-ADAccount
And voila! You’ve quickly and easily disabled a large number of potential threat vectors. Sleep a little easier tonight.
Leave a Reply