I'm trying to get a list of users that are members of an Active Directory group that are not disabled. The best I've been able to find so far is:
dsquery group -name "Group name" | dsget group -members -expand | dsget user -samid -disabled -c | findstr /c:" no "
...admitting that the the final 'findstr' is a total hack (and it unfortunately also strips the column headings.)
I have been able to find the following dsquery command that gives a list of all non-disabled users:
dsquery * -filter "(&(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))" -limit 0 | dsget user -samid -c
...but adding a memberOf parameter only works for groups the users are immediately members of; it doesn't recurse like dsget group's -expand does.
So is there a way to combine these, or get dsquery to recurse, or have I gone as far as I can without using PowerShell? (Which I can't because its tools depend on Active Directory Web Services which isn't present on Samba-based domain controllers as of Samba 4.9.5 at least.)
This syntax worked for me. It uses the LDAP_MATCHING_RULE_IN_CHAIN rule OID (1.2.840.113556.1.4.1941) to check the full ancestry of an object:
Be sure to replace the example distinguishedName string (memberOf=CN=Group Name,OU=Security Groups,DC=domain,DC=com) with the DN of the group that you are querying recursive membership for.
This query returns the DN of each enabled user in the group. If you specfically want to get the sAMAccountName and country, use: