I need help crafting a Powershell script to filter through an OU and all Sub-OUs inspecting user accounts. The goal is to end up with all the accounts in the parent OU and below being disabled. However, I only want to modify the account if it is currently enabled. In other words, to keep my audit logs clean, I don't want to run through setting the UserAccountControl flag for every single account to Disabled. That clutters my logs with thousands and thousands of "User Account Management" events. I only want to change accounts that are currently enabled.
Hopefully this makes sense. The script should target a given OU, all the user accounts in it and in Sub OUs, and should disable only accounts that are currently enabled. Placing the DN of the top-most OU in the code is just fine, it doesn't need to accept parameters off the command line.