To disable all enabled users from an Active Directory group use the following script. Replace the groupname with the correct groupname. Also this script will show what it does, but does not disable the accounts until you remove the “-whatif” option from the command: Disable-ADAccount -Identity $user -whatif
The original script comes from https://community.spiceworks.com/topic/380100-disable-enable-ad-account-based-on-group-membership
$Group = "groupname" Try { Import-Module ActiveDirectory -ErrorAction Stop } Catch { Write-Host "Unable to load Active Directory module, is RSAT installed?"; Exit } Try { $GroupDN = (Get-ADGroup $Group -ErrorAction Stop).DistinguishedName } Catch { Write-Host "Unable to locate group: $Group because ""$($Error[0])""" -ForegroundColor Red Exit } ForEach ($User in (Get-ADUser -Filter * -Properties MemberOf)) { If ($User.MemberOf -contains $GroupDN) { If ($user.enabled) { Write-Host "Disabling $($User.Name)" Disable-ADAccount -Identity $user -whatif } } }