2

I'm trying to get a list of users that are members of an Active Directory group that are not disabled. The best I've been able to find so far is:

dsquery group -name "Group name" | dsget group -members -expand  | dsget user -samid -disabled -c | findstr /c:" no "

...admitting that the the final 'findstr' is a total hack (and it unfortunately also strips the column headings.)

I have been able to find the following dsquery command that gives a list of all non-disabled users:

dsquery * -filter "(&(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))" -limit 0 | dsget user -samid -c

...but adding a memberOf parameter only works for groups the users are immediately members of; it doesn't recurse like dsget group's -expand does.

So is there a way to combine these, or get dsquery to recurse, or have I gone as far as I can without using PowerShell? (Which I can't because its tools depend on Active Directory Web Services which isn't present on Samba-based domain controllers as of Samba 4.9.5 at least.)

Sean P.
  • 71
  • 1
  • 7

1 Answers1

1

This syntax worked for me. It uses the LDAP_MATCHING_RULE_IN_CHAIN rule OID (1.2.840.113556.1.4.1941) to check the full ancestry of an object: 

dsquery * domainroot -limit 0 -r -filter "(&(objectCategory=user)(memberOf:1.2.840.113556.1.4.1941:=CN=Group Name,OU=Security Groups,DC=domain,DC=com)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"

Be sure to replace the example distinguishedName string (memberOf=CN=Group Name,OU=Security Groups,DC=domain,DC=com) with the DN of the group that you are querying recursive membership for.

This query returns the DN of each enabled user in the group. If you specfically want to get the sAMAccountName and country, use: 

dsquery * domainroot -limit 0 -r -filter "(&(objectCategory=user)(memberOf:1.2.840.113556.1.4.1941:=CN=Group Name,OU=Security Groups,DC=domain,DC=com)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))" -attr sAMAccountName co
SamErde
  • 3,409
  • 3
  • 24
  • 44
  • Unfortunately this exhibits the same problem where it only shows users that are explicitly added to the specified group instead of all users that are members by group inheritance. – Sean P. Apr 10 '20 at 20:27
  • I'm happy to let you know that my updated answer works recursively. – SamErde Apr 13 '20 at 17:51
  • Thank you! But I get a different (smaller) result set using your query than ```dsget group -members -expand``` with the same group DN. Any idea why that might be? – Sean P. Apr 13 '20 at 21:12
  • Check your results for any duplicates that might result from a user being included in more than one of the nested groups. Also make sure that your results do not have any disabled users in them. My query should eliminate both. – SamErde Apr 14 '20 at 11:01