Automatically disable users when expired

So I was working at a company and the security department was complaining that old employees werent disabled. Well IT did set the account expired date on each user, but the security department really liked the little arrow on the user icon. So this is a simple powershell script that disables all user accounts which has passed their expires date. So we ran this script and IT could continue as before and the security department got their small arrows on the user accounts.

Or you could use the Cmdlet Search-ADAccount


  1. Michael says:

    Thank you for your nice script, its really helpful.
    How can I change the disable date to 14 days after the account has expired?
    I need that little tweak because the user should have 14 days time to unlock their account by the helpdesk.

    With Kind regards,

    • virot says:

      Hi Michael.

      Its easy. Just add the amount of days to the assignment of $now.
      $now = (Get-Date).AddDays(-14).ToFileTime()
      This will limit to accounts which were past account expiry 14 days ago.

  2. Sandro says:

    Hi, how would I be able to also move all the accounts that are disabled to a different OU in Active Directory?

    • virot says:

      By adding the paramater -passthru to Disable-ADAccount you can pipe it on to the next cmdlet.

      Search-ADAccount -AccountExpired -UsersOnly | Where-Object {$_.Enabled}| Disable-ADAccount -Passthru |Move-ADObject -TargetPath <DN of destination>

      That will move all newly disabled to that OU. If you want to move it is doable too, Lets just use Get-ADComputer and Move-ADObject.

      Get-ADComputer -Filter {Enabled -eq $False}|Move-ADObject -TargetPath <DN of destination>

      Good Luck

  3. _nd93q45 says:

    Thank you; i’ve been searching for hours trying to find a similar DSQUERY/DSMOD but there seems to be no “expired” boolean and calculating interger8 in DOS is impossible. PS seems my only (and best) alternative.

Leave a Reply