In some cases, the administrator must disable all accounts from a specific Organization Unit. We can approach this task from either Active Directory Users and Computers or using PowerShell.
The first method is the simpler one, which is using Active Directory Users and Computers, basically we select one or more users that we want to disable, right-click and then Disable Account, as depicted in the image below. It works fine when we have all users on the same OU, however in some cases we have tons of sub-OUs and that makes it difficult to disable a lot of users at the same time.
After asking to disable the account a dialog box will be displayed informing that all objects were disabled.
In case we have several Organization Units underneath and we want to disable all accounts, then the PowerShell is the best approach. Basically, we can start by listing all the users from any given OU using the following command line. Make sure to replace the SearchDN with your domain/OU location/information.
Get-ADUser –SearchBase “OU=OUName,dc=domain,dc=local” –Filter *
In order to disable the accounts, just add | Disable-ADAccount to the end and that will make sure that all accounts on all Organization Units are disabled.
Get-ADUser –SearchBase “OU=OUName,dc=domain,dc=local” –Filter * | Disable-ADAccount
How do I find my distinguished name to enter on the SearchBase parameter?
You can create that path by knowing the location, but if you are not sure, there is an easy way. Using Active Directory User and Computers, click on View and then click on Advanced Features
After that, right click on the desired Organization Unit, click on Attribute Editor tab, and then double click on distinguishedName and copy the content being displayed on the dialog box.