In this lecture, we are going to be learning how we can automatically move disabled users to our Disabled Users OU. This is kind of a little cleanup script that we are going to create and run. It can come in handy when you have several disabled users.

We open Active Directory Users and Computers and we see we have three disabled users.

If you have hundreds of disabled users in your Active Directory Domain, and they are not in the Disabled Users OU, we can write a script that will automatically move them there.

To create the script open Windows PowerShell ISE by clicking on the bottom left on the Windows icon and type powershell. Click on Windows PowerShell ISE.

 The Windows PowerShell ISE opens up and looks like the following:

 Let’s type the following code to list all disabled users:

# Import the AD Module

Import-Module ActiveDirectory

# List all disabled AD users

Search-ADAccount -AccountDisabled | Select-Object Name, DistinguishedName

Click the green Play icon and we should see the output at the bottom pane.

From the output, we can see we have disabled users in different Containers and OUs.

First, make sure Advanced Features is enabled in Active Directory Users and Computers.

 Then, we select the Disabled OU and right-click and select Properties.

Now from the Properties window click on the Attribute Editor tab and double-click on the distinguishedName line to see the location.

Copy the value as it will be needed for our script.

Now what we are going to do is move all these disabled user accounts. Let’s add more lines of code to the script.

# Import the AD Module

Import-Module ActiveDirectory

# List all disabled AD users

Search-ADAccount -AccountDisabled | Select-Object Name, DistinguishedName

# Move all disabled AD users to disabled users OU

Search-ADAccount -AccountDisabled | Move-ADObject -TargetPath "OU=Disabled Users,OU=instructorpaul,DC=instructorpaul,DC=com"

Now, we click the run script icon (green Play button) and the script will get executed.

Open Active Directory Users and Computers to verify the disabled users have been moved to the Disabled Users OU.

Click Refresh. We now see all the disabled users under the OU.

Another thing we can do is, for example, we have a user that has been placed in the Disabled Users OU but the account is not disabled.

If we move an enabled user like Ridley Quin to the Disabled Users OU but forgot to disable the user account we can also make the script disable the user accounts that are inside the Disabled Users OU.

Let’s move the user to the Disabled Users OU by clicking on it and dragging it to Disabled Users and dropping it there.

 Let’s add the following to our script:

# Import the AD Module

Import-Module ActiveDirectory

# List all disabled AD users

#Search-ADAccount -AccountDisabled | Select-Object Name, DistinguishedName

# Move all disabled AD users to disabled users OU

#Search-ADAccount -AccountDisabled | Move-ADObject -TargetPath "OU=Disabled Users,OU=instructorpaul,DC=instructorpaul,DC=com"

# Disable all users in the disabled users OU

Get-ADUser -Filter {Enabled -eq $True} -SearchBase "OU=Disabled Users,OU=instructorpaul,DC=instructorpaul,DC=com" | Select-Object Name

Click the Run script button.

From the output, we can see we are selecting the account Ridley Quin because it is in the Disabled Users OU and its Enabled.

Now let’s update the script to perform the action.

# Import the AD Module

Import-Module ActiveDirectory

# List all disabled AD users

Search-ADAccount -AccountDisabled | Select-Object Name, DistinguishedName

# Move all disabled AD users to disabled users OU

#Search-ADAccount -AccountDisabled | Move-ADObject -TargetPath "OU=Disabled Users,OU=instructorpaul,DC=instructorpaul,DC=com"