Disable all active users from an AD group

Posted on by

To disable all enabled users from an Active Directory group use the following script. Replace the groupname with the correct groupname. Also this script will show what it does, but does not disable the accounts until you remove the “-whatif” option from the command: Disable-ADAccount -Identity $user -whatif

 

The original script comes from https://community.spiceworks.com/topic/380100-disable-enable-ad-account-based-on-group-membership

 

$Group = "groupname"
Try { Import-Module ActiveDirectory -ErrorAction Stop }
Catch { Write-Host "Unable to load Active Directory module, is RSAT installed?"; Exit }

Try {
    $GroupDN = (Get-ADGroup $Group -ErrorAction Stop).DistinguishedName
}
Catch {
    Write-Host "Unable to locate group: $Group because ""$($Error[0])""" -ForegroundColor Red
    Exit
}

ForEach ($User in (Get-ADUser -Filter * -Properties MemberOf))
{   If ($User.MemberOf -contains $GroupDN)
    {   
        If ($user.enabled)
        {
            Write-Host "Disabling $($User.Name)"
            Disable-ADAccount -Identity $user -whatif
        }
    }
}

 

Leave a Reply

Your email address will not be published. Required fields are marked *