How to Disable Multiple Users in Active Directory to Revoke Access
Organizations that use an AD may ask their administrators if they know how to disable multiple users in Active Directory occasionally. This scenario is especially true after a joint project between two entities. Once the project competes, it’s the admin’s responsibility to revoke external access to the AD.
Table of Contents
- Disable Accounts with ADUC
- Revoke Access in Bulk via Admin Center
- Command Line Account Disabling
- End User Account Access With PowerShell Scripts
- Why Professional Tool is Beneficial
- Conclusion
- Frequently Asked Questions
Not doing so introduces potential security risks. Disabling is preferred over expiry or deletion when user data needs to be preserved. It is such an important task that administrators should get the best guidance and that is exactly what we provide. So let us head straight to study the first method.
Disable Accounts in AD With Active Directory Users and Computers
Scenario 1: Disable preexisting user
Method 1. Using the Menu Ribbon
- Select the User
- Toggle the Action Tab
- Click on Disable Account
Method 2. Via the User Container
- Select 1 or more users. You can use the Shift key to select multiple users in a line simultaneously or Press the Ctrl key to pick a segregated set of users.
- Right Click > Disable Account
No matter the method you choose, at the end, you should see a notification popup indicating the user status change. Now, you can continue with other tasks, like finding inactive computers in Active Directory.
Scenario 2: Disable Users During Creation
Inside the ADUC, there are two ways to start user creation
- Right-click > Select New > Choose User or click the New User Icon from the toolbar.
- Then fill in the user details, like name, logon name, etc, and press Next.
- After that, type a suitable password, confirm it, and mark the box in front of the “Account is Disabled option”. Click Next.
- Check the User creation details and Press Finish.
- A new user object with a disabled status should be visible inside the container.
How to Disable Multiple Users in Active Directory in Admin Center
- Open ADAC
- Click the Users option below the Domain Controller.
- Select one or more Users
- Click the Disable or Disable All option on the right-hand pane.
If you are about to make a new user and want to keep it in a disabled state, don’t use ADAC. This is because, unlike ADUC, ADAC does not provide a “keep account disabled” option during the creation process.
Command Line Queries to Disable Account in AD
These methods are slightly more technical than the GUI-based ones we covered earlier. So admins who are new in Active Directory Management are requested to look at the instructions carefully.
- Press Windows Key + R
- Type cmd and press Enter
- In the command line, type:
dsmod user <UserDN> -disabled yes
Note that the user may be inside an OU or a Container, so you have to identify the actual location first. Then replace the <UserDN> variable with your actual parameters. Like the example here:
dsmod user "CN=dummyUser4,CN=Users,DC=cu14mail,DC=local" -disabled yes
Keep changing the user name to disable the rest. Sometimes the dsmod fails due to permission issues, incorrect directory location, etc. Don’t worry we have an alternative query as well.
net user <username> /active:no
Here too, admins need to replace the placeholder username with the actual name of the user. For example:
net user dummyUser4 /active:no
Although the command line methods work, they are mostly used for single-account disabling. Additionally, most of the time admins need to revoke user access in bulk. In that case, it is better to rely on PowerShell instead so let us see how the scripts help us.
How to Disable Multiple Users in Active Directory With PowerShell Scripts
Before we get to the solution, admins should know that these are mostly used to perform a mass disable operation. PowerShell commands can perform permanent changes in the AD-like when we used them to unlock user accounts with PowerShell scripts.
However, this bulk transformation can’t be done unless and until the admin possesses a list of the accounts that are to be disabled in a CSV file.
Creating such a list manually is not a good idea as it eliminates the time advantage we were expecting from PowerShell.
Therefore, a smart strategy would be to use a tool to prepare a user accounts list beforehand. You can get that list with the help of the SysTools AD Reporting Software. Add the tool to your Active Directory workstation and perform these steps.
Open Tool > REGISTER DC > Validate Admin Credentials > Choose All Users > Download Report.
Change the CSV report name to reflect its use case like “to-be-disabled-users.csv” and save it.
Step 1. Open Windows PowerShell ISE
Step 2. Type the following script:
Import-CSV -Path "C:\Users\Administrator\Desktop\to-be-disabled-users.csv" # Change the file path accordingly | ForEach-Object { # Extract the Distinguished Name $modifiedDN = $_.'DistinguishedName' # Set the Identity parameter using the modified DN Set-ADUser -Identity $modifiedDN -Enabled $false }
Step 3. Save and Run. You won’t see any output on the ISE, for that perform the next series of steps.
Step 4. Open a PowerShell Module.
Step 5. Get a list of all recently disabled users by typing.
$disabledSince = Get-Date (Get-Date).AddDays(-1) # Adjust the timeframe as needed Get-ADUser -Filter {Enabled -eq $false -and WhenChanged -ge $disabledSince} -Properties Enabled, Name, WhenChanged | Select-Object Name, WhenChanged
To double-check the changes Open the tool and select the Disabled Users category under Users Workload.
Why Take Professional Help During the AD User Disablement Process?
- The tool provides an all-encompassing dashboard to track the before and after scenarios of account disablement operations in real time.
- It allows multi-domain registration so admins can travel through the entire forest.
- You can get multiple categories to choose the exact user set you want to disable.
- Admins can apply a preset duration filter to segregate specific users, based on their recent activity in AD.
- Inside the duration, you can set your custom timeline as well.
- With the preview section’s help, you can glance at the results before exporting the initial user list.
- Moreover, the tool replicates all AD changes in real-time so you can check the changes as they happen.
Conclusion
In this writeup, we gave AD admins different ways on how to disable multiple users in Active Directory. Before the user access is revoked admins might want to check what all users are present in a specific OU or Container. For that, they are given an excellent reporting utility. Admins who are planning on a mass disable operation can use the utility export mechanism and get the list of users in CSV format.
This file can then be used alongside PowerShell cmdlets to stop accounts from being used at once. The tool reflects AD updates in real-time, so admins can easily visualize all changes right in the tool dashboard.
Frequently Asked Questions On Active Directory Bulk User Disabling
Is there any way I, as the admin, can schedule the user disabling process?
Yes, administrators can combine PowerShell scripts with the task scheduler application and make custom users disable timelines. Other than that admins can set an account expiration date to trigger an auto-disable. Do this after you find a list of computers in Active Directory that a user has access to.
What are some user-level best practices to follow during account disabling in AD?
After the accounts are disabled users lose all access to the data that was present in the account. Moreover, disabled accounts pose a security threat admins often delete them. So before an account access is revoked admins should ask users to back up any private data. Also, make sure that the user is not middle of something, so only disable offline users. Otherwise, you run the risk of data loss.
Can disabled accounts be enabled again inside the Active Directory?
Yes, every disabled account can be restored unless it is hard deleted. The enable button is usually present alongside the disable option in ADUC and ADAC. For PowerShell and Command line, admins have to change the Enabled flag to “true” and run the same command again.
Can I limit user access to one machine and disable them from the rest?
Yes for make changes in the “Logon Workstations” attribute of the user account in question. Here are the steps:
Step 1. Launch ADUC > find and select the user object.
Step 2. Right-click and select “Properties”.
Step 3. Go to the “Accounts” section.
Step 4. Under the “Logon Workstations” heading, click on “The following computers”.
Step 5. Type the computer list, separated by commas, and click OK.
Do this and the moment a user logs in to another computer their initial access gets disabled.