Ldapsearch and groups and Active Directory

Question

I am trying to get a list of groups/users using ldapsearch.

Most the searches I have seen show that the way to only enabled/active users are to use a query similar to the following:

(&(objectCategory=person)
(objectClass=user)
(sAMAccountType=805306368)
(!(userAccountControl:1.2.840.113556.1.4.803:=2))
(sAMAccountName=<username>))

The issue I am having is I need a list of ALL AD Groups and their Users that are active with the disabled users removed.

Typically I have seen groups pulled with something like this

(&(objectClass=group)(member=*))

This query pulls the groups and users but pulls ALL users disabled and enabled.

What I need is a way to accomplish both.

So far I have tried combining the commands but it has proven to be unsuccessful.

(&(objectCategory=group)
(objectclass=group)
(!(isCriticalSystemObject=TRUE))
(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

Is there a way to accomplish the task of pulling only enabled users while still getting all the groups?

Answer 1

The problem is that by querying groups objectclass=group , you can only filter which groups, not which member (active or not) of those groups, so you would have to intersect the members (all) of each group with the set of active users, which implies another query to grab those users in the first place, and a bit more client code to process the results.

The good news is that AD implements the memberOf attribute, so you can do the other way around, searching for all active users and list the groups they belong to by reading this attribute.