Enabling and disabling Active Directory user accounts in bulk

Active Directory user accounts can be enabled or disabled in bulk by using Active Directory Users and Computers snap-in and PowerShell. Most Active Directory admins like to use PowerShell considering the fact it helps in reducing the time it takes to perform the same operation using GUI tools. As for an example, if you need to query the Home Folder property for all users in the Active Directory, you will use the Get-ADUser PowerShell cmdlet. Similarly, in case you need to collect Operating System version for all domain-joined computers, you can use the Get-ADComputer PowerShell cmdlet. When it comes to enabling or disabling AD user accounts in bulk, PowerShell is the easiest option. We will explain how to enable or disable user accounts in bulk in this article.

PowerShell cmdlets you will use

Microsoft Active Directory PowerShell modules provide two PowerShell cmdlets to perform enable and disable operations against user accounts: Enable-ADAccount and Disable-ADAccount. As the name suggests, Enable-ADAccount helps in enabling an AD user, computer, and service account while Disable-ADAccount helps in disabling the account. In this article, we will explain how to use both these PowerShell cmdlets to enable/disable Active Directory user accounts.

Enabling a single user account

Enabling a single AD User account is quite easy. You can use both Active Directory Users and Computers snap-in or PowerShell. To enable an AD user account using PowerShell, you will execute this PowerShell command:


Enable-ADAccount –Identity “TestAccount”
Enable-ADAccount –Identity “CN=TestAccount,OU=Users,DC=TechGenix,DC=Com”


You can use either SamAccountName or Distinguished Name after the “-Identity” parameter.

Enabling multiple user accounts

Active Directory user accounts
In case you wish to enable multiple Active Directory user accounts, you can use two approaches. You can use the Get-ADUser PowerShell cmdlet to get user accounts from a specific organizational unit and then perform the enable operation using Enable-ADAccount as shown in the PowerShell command below:


Get-ADUser –SearchBase “OU=Users,DC=TechGenix,DC=Com” | Enable-ADAccount


As you can see in the above command, we use the Get-ADUser PowerShell cmdlet to get users from “OU=Users,DC=TechGenix,DC=Com” and then use Enable-ADAccount to enable each user account retrieved by the Get-ADUser PowerShell cmdlet. Note that the above approach allows you to enable user accounts in a single organizational unit. If you wish to enable user accounts scattered in multiple organizational units, you will need to create a CSV file that holds the name of the user accounts and then execute the Enable-ADAccount as shown in the script below:


$UserAccounts = “C:\Temp\UserDN.TXT”
Foreach ($ThisUser in Get-Content “$UserAccounts”)
{
Enable-ADAccount -Identity $ThisUser
}


The tiny PowerShell script above collects user accounts specified in the C:\Temp\UserDN.TXT file and then executes the Enable-ADAccount against each user account.

Disabling single and multiple user accounts

Disabling a single user account can be done by executing below one-liner PowerShell commands:


Disable-ADAccount –Identity “TestAccount”
Disable -ADAccount –Identity “CN=TestAccount,OU=Users,DC=TechGenix,DC=Com”


In case you wish to perform disable operation for multiple user accounts in the Active Directory, you can use a one-liner PowerShell command, which, in turn, allows you to perform operation against a specific organizational unit or a PowerShell script that can help you disable user accounts listed in a text file.


Get-ADUser –SearchBase “OU=Users,DC=TechGenix,DC=Com” | Disable-ADAccount


As you can see in the above PowerShell command, it disables all user accounts located in “OU=Users,DC=TechGenix,DC=Com” organizational unit. The PowerShell script below can be used to disable user accounts specified in C:\Temp\UserDN.TXT file.


$UserAccounts = “C:\Temp\UserDN.TXT”
Foreach ($ThisUser in Get-Content “$UserAccounts”)
{
Disable-ADAccount -Identity $ThisUser
}


As you might have noticed in the above commands, we used basic PowerShell script techniques to process enable/disable operations for bulk user accounts.

Know PowerShell? Do it yourself

In this article, we explained how to enable or disable user accounts in bulk. While there are several third-party tools available that can help you enable or disable Active Directory user accounts in bulk, if you have basic PowerShell scripting skills you can always use Enable-ADAccount and Disable-ADAccount and the techniques defined in this article to enable/disable user accounts. We also explained how you can enable/disable user accounts specified in a text file.

About The Author

2 thoughts on “Enabling and disabling Active Directory user accounts in bulk”

  1. How can i use if condition command in powershell to check if the user is enabled or disabled.
    like ” If user is enabled in AD then proceed to disable the account else stop”
    Please suggest

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top