If you have to disable a user in Powershell with the new “Active Directory Modules” which are part of a Server 2008 R2 Domain Controller?  You’ve never had it so easy.

The command is DISABLE-ADACCOUNT and it can work on one account or multiple accounts at the same time.

Hard to use?  Hardly!  This is IT!

Disable-ADAccount [-Identity] <ADAccount> [-AuthType {Negotiate | Basic}] [-Credential <PSCredential>] [-Partition <string>]
[-PassThru <switch>] [-Server <string>] [-Confirm] [-WhatIf] [<CommonParameters>]


Basic day to day use for most of us will involve


like this


And now the user “john.smith” is disabled in your Active Directory.

Or you can (if you prefer to play safer) use GET-ADUSER to SHOW you who you’re about to disable and pipe those results into the DISABLE-ACCOUNT Commamdlet.  Like this.


Or you can even search a particular OU for a User (if you don’t know the SAM account, if your company uses SAM accounts UNIQUE from the

GET-ADUSER –filter ‘Name –like “John*”’ –SearchBase “OU=Bedrock,OU=Locations,DC=Contoso,DC=Local” | DISABLE-ADACCOUNT

And like all “destructive” features with Powershell you can tack on a –whatif to make SURE you don’t make mistakes!

GET-ADUSER –filter ‘Name –like “John*”’ | DISABLE-ADACCOUNT -whatif

And like all the Commandlets in Server 2008 R2, you can pass alternate credentials or specify servers to work with MULTIPLE domains EASILY from a single system


Powershell.  It just ROCKS!

The Energized Tech