Automatically disable users when expired

So I was working at a company and the security department was complaining that old employees werent disabled. Well IT did set the account expired date on each user, but the security department really liked the little arrow on the user icon. So this is a simple powershell script that disables all user accounts which has passed their expires date. So we ran this script and IT could continue as before and the security department got their small arrows on the user accounts.

Or you could use the Cmdlet Search-ADAccount


  1. Michael says

    Thank you for your nice script, its really helpful.
    How can I change the disable date to 14 days after the account has expired?
    I need that little tweak because the user should have 14 days time to unlock their account by the helpdesk.

    With Kind regards,

    • virot says

      Hi Michael.

      Its easy. Just add the amount of days to the assignment of $now.
      $now = (Get-Date).AddDays(-14).ToFileTime()
      This will limit to accounts which were past account expiry 14 days ago.

  2. Sandro says

    Hi, how would I be able to also move all the accounts that are disabled to a different OU in Active Directory?

    • virot says

      By adding the paramater -passthru to Disable-ADAccount you can pipe it on to the next cmdlet.

      Search-ADAccount -AccountExpired -UsersOnly | Where-Object {$_.Enabled}| Disable-ADAccount -Passthru |Move-ADObject -TargetPath <DN of destination>

      That will move all newly disabled to that OU. If you want to move it is doable too, Lets just use Get-ADComputer and Move-ADObject.

      Get-ADComputer -Filter {Enabled -eq $False}|Move-ADObject -TargetPath <DN of destination>

      Good Luck

  3. _nd93q45 says

    Thank you; i’ve been searching for hours trying to find a similar DSQUERY/DSMOD but there seems to be no “expired” boolean and calculating interger8 in DOS is impossible. PS seems my only (and best) alternative.

  4. Can we get log file how many account disabled after running this script ?

    • virot says

      It should be possible to add that to the script.
      But it depends on what kind of logging we want.

Leave a Reply