How to delete Active Directory users using PowerShell

Last updated on: 03/11/25

Deleting Active Directory (AD) user accounts is a critical administrative task for security and AD cleanup. This action is permanent and without a proper AD backup, irreversible. There's more than one way to delete an AD user and this article will talk about the three primary methods, using Active Directory Users and Computers (ADUC), PowerShell and the simple and secure alternative, ADManager Plus.

Delete vs. disabling AD users: Which one should you do?

Deleting an AD user: When you delete an AD user, the user object, its SID, and its attributes are removed. Delete an AD object only when an employee has permanently left the company and all data retention periods have passed.
Disabling an AD user: When you disable an account, the account remains in AD but cannot be used to log in. This is the best practice for temporary leaves, security investigations, or as a first step before permanent deletion.

PowerShell
ADUC
ADManager Plus
Native tools limitations
Why ADManager Plus
FAQs

How to remove AD users using PowerShell

Using PowerShell's Remove-ADUser cmdlet is the most flexible way to delete AD users. Before you proceed, ensure you have the Active Directory module for PowerShell installed using this script.


            # Import the Active Directory module

            Import-Module ActiveDirectory

You can identify the user by their sAMAccountName, Distinguished Name (DN), or User Principal Name (UPN).


            # This command will prompt for confirmation

            Remove-ADUser -Identity "jdoe"

             
            # To skip the confirmation prompt in a script, use -Confirm:$false

            Remove-ADUser -Identity "jdoe" -Confirm:$false

Example scripts and use-cases

The following are some example scripts and use-cases that you can accomplish using the Remove-ADUser cmdlet in PowerShell

Example 1: Delete bulk AD users from a CSV

This is the most common script used by admins to remove AD users using PowerShell Create a CSV file with a list of users to be deleted and run the following script.


            # Import the list of users from the CSV 

            $users = Import-Csv -Path "C:\temp\users-to-delete.csv"

             
            # Loop through each user in the list and remove them

            foreach ($user in $users) {

                $sam = $user.samaccountname

                Write-Host "Attempting to delete user: $sam"

                 
                # Use -ErrorAction SilentlyContinue so one bad name doesn't stop the script

                Remove-ADUser -Identity $sam -Confirm:$false -ErrorAction SilentlyContinue

            }

Example 2: Find and delete inactive AD users

A crucial cleanup task is to delete AD users who haven't logged in for a set period.


            # Set the time for inactivity

            $inactiveDays = 90

            $cutoffDate = (Get-Date).AddDays(-$inactiveDays)

             
            # Find inactive users

            $inactiveUsers = Get-ADUser -Filter { LastLogonDate -lt $cutoffDate } -Properties LastLogonDate

             
            # Loop through and delete each inactive user

            foreach ($user in $inactiveUsers) {

                $name = $user.SamAccountName

                Write-Host "Deleting inactive user: $name (Last Logon: $($user.LastLogonDate))"

                 
                # Use -WhatIf first to test! Remove -WhatIf to perform the actual deletion.

                Remove-ADUser -Identity $name -WhatIf 

            }

How to delete an AD user in ADUC

Using the ADUC console is the most direct method to delete a single user.

On your Domain Controller or a PC with RSAT, press Windows + R, type dsa.msc, and press Enter.
Navigate the OU tree to locate the user account. If you don't know the user's OU, right-click your domain name and click Find to search and locate the user.
Right-click the user object you want to remove and click Delete.
Click Yes in the confirmation dialog box.

How to securely delete AD users using ADManager Plus

While native tools work, they have serious drawbacks. ADUC is too manual for bulk tasks, and a single mistake in a PowerShell script can permanently remove the wrong OU.

ADManager Plus, an AD management tool, provides a secure and intuitive interface that turns complex scripts into a few simple clicks, allowing you to safely delegate tasks to help desk staff without granting them high-level domain permissions.

How to delete AD users in bulk using ADManager Plus

Login to ADManager Plus.
Navigate to Management > User Management > Bulk User Modification > Delete Users.
Select the domain and import your CSV file containing the list of users. You can also search and locate the users from the search bar. Click Go.
Choose the user accounts from the list and click Apply.

Delete AD users in bulk with just a CSV file using ADManager Plus.

ADManager Plus streamlines the entire process, eliminating errors and providing a simple solution for all AD user management actions.

Limitations of using ADUC and PowerShell for deleting AD users

While functional, the built-in tools have significant drawbacks:

Error-prone: Removing an AD user using PowerShell is irreversible. A typo in a PowerShell script can lead to accidentally deleting thousands of users with no simple undo.
Permissions risk: To delete a user, you must have the Delete User permissions, which are high-level rights. Delegating this task to a help desk technician is a security risk, as they could delete the wrong object.
Steep learning curve: Writing a safe and effective script requires understanding error handling, confirmation parameters, and more.
No scalability: ADUC is only practical for deleting one user at a time. It's impossible to use for bulk cleanup.
No audit trail: It's difficult to get a clear, simple report of who deleted what and when using these tools.

Benefits of using ADManager Plus to delete AD users

ADManager Plus is designed to overcome all the limitations of the native tools, providing a secure and efficient solution.

Secure and granular delegation: Use help desk roles to grant help desk technicians the power to only delete users, and only within specific OUs.
Bulk modification: Remove AD users in bulk by importing a simple CSV file.
Report-based cleanup: Run a report, such as Inactive Users or Disabled Users, and delete the accounts directly from the report interface with a few clicks.
Approval-based workflow: Implement an approval workflow, requiring a manager's approval before a user account is permanently deleted.
Complete deprovisioning: An automation policy can simultaneously remove the AD user, delete their Microsoft 365 license, wipe their mailbox, and remove their home folder, all in one action.

FAQs

Yes, if you have the Active Directory Recycle Bin enabled, you can recover a deleted AD user. It must be enabled before the user is deleted. If it's not enabled, you must perform a complex authoritative restore from an AD backup.

The user's SID is permanently deleted along with the user object. If you create a new user with the same name, they will get a new SID. This new user will not have access to any files, folders, or resources that were previously accessible.

No. Deleting a user object only removes it from AD and does not automatically delete the user's Microsoft 365 or Exchange mailbox or their personal file share. These must be de-provisioned separately. However, ADManager Plus can help you automate this entire workflow and streamline AD deprovisioning.

Swiftly deprovision AD users with ADManager Plus today!

Try it now for free

Related features:

Related Powershell Guides: