This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(156.8, 2%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMO%3C/text%3E%3C/svg%3E)
How do we disable users with expired AD password with exception from AD OU?
We have script below that disables AD users with expired password
Get-ADUser -Filter * -Properties PasswordExpired |
Where-Object PasswordExpired | Disable-ADAccount**
How do we disable users with expired password AD with exception from AD OU?
Thanks
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 46%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EU%3C/text%3E%3C/svg%3E)
Hi @Marvin Oco
Just a clarification
Today you disable AD users with expired passwords, with the script you've shared.
What you are hoping for is to exclude members of an AD OU so that they are not disabled if their passwords expire? Is my understanding correct?
If so there are several ways of doing it, the optimal solution depends on where your script runs today, you could set your script to apply to the OUs you want, and not on the ones where you want to exclude it from being run. This can be accomplished over Powershell, or even with a GPO. Ensuring that the link is enabled, enforced or the order of precedence for the GPO setting.
Best regards,
Ulv
Yes, how to do it in powershell?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 94%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EIX%3C/text%3E%3C/svg%3E)
Hi,
You can do it like below
$ou= "OU=testou,DC=contoso,DC=com"
Get-ADUser -Filter {Enabled -eq $true} -Properties PasswordExpired | Where-Object {
$_.PasswordExpired -and ($_.DistinguishedName -notlike "*,$ou")} | Disable-ADAccount
Best Regards,
Ian Xue
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.