Re: Query to extract only those group members with enabled accounts

From: Jerold Schulman <Jerry@xxxxxxxxxx>
Date: Tue, 12 Dec 2006 21:03:08 -0500

On 12 Dec 2006 13:42:03 -0800, mail269618@xxxxxxxxxxxxxxxx wrote:

I would like to extract a list of the members of an AD group, but only
include those with enabled accounts (i.e. anyone whose account is not
disabled).

From my reading here and elsewhere, I believe that the following should

work, however I wanted to check my logic and my code before I try it as
I don't have a test machine at the moment.

dsquery * domainroot -filter
"(&(objectcategory=person)(objectclass=user)(!useraccountcontrol:1.2.840.113556.1.4.803:=2))"
| dsget group "CN=GroupName,DC=domain name,DC=com" -members >
c:\temp\list.txt

I thought that my logic was sound - using dsquery to find non-disabled
accounts and then piping that to dsget to retrieve members of the
group.

I modified the dsquery example from
http://www.jsifaq.com/SF/Tips/Tip.aspx?id=9815 and piped it's output to
a dsget example from the online help, suggesting the format is dsget
group "<GroupDN>" -members.

Should this work? Any suggested improvements? Thanks for your input.

No.

Your querying users and piping to a group!

This batch works.

@echo off
setlocal
for /f "Tokens=*" %%a in ('dsget group "CN=GroupName,DC=domain name,DC=com" -members') do (
for /f "Tokens=*" %%b in ('dsget user %%a -disabled^|find "no"') do (
@echo %%a
)
)
endlocal

Jerold Schulman
Windows Server MVP
JSI, Inc.
http://www.jsiinc.com
http://www.jsifaq.com
.

Follow-Ups:
- Re: Query to extract only those group members with enabled accounts
  - From: mail269618

References:
- Query to extract only those group members with enabled accounts
  - From: mail269618

Prev by Date: Re: how to restrict users to search in their own Organizational Unit
Next by Date: Upgrading large distributed environment from AD2000 to AD 2003 - Risks, Challenges
Previous by thread: Query to extract only those group members with enabled accounts
Next by thread: Re: Query to extract only those group members with enabled accounts
Index(es):
- Date
- Thread

Relevant Pages

Re: Group password reset
... You can use dsquery to pipe the results to dsmod. ... best to try out on a couple test accounts first. ...
(microsoft.public.security)
Query to extract only those group members with enabled accounts
... I would like to extract a list of the members of an AD group, ... include those with enabled accounts (i.e. anyone whose account is not ... I thought that my logic was sound - using dsquery to find non-disabled ... a dsget example from the online help, ...
(microsoft.public.windows.server.active_directory)
Re: Technical Q: Is there a CMD for DSQuery user -lockedout?
... some of the command line features more to learn them. ... can quickly get a list of accounts that are disabled via the dsquery ... There is no dsquery user switch for what you want. ... I even made a mmc with all the dc event logs on it but it still ...
(microsoft.public.cert.exam.mcse)
Re: Saved Querys Windows 2003
... lastlogonTimestamp is the user object attribute that will give you this but ... you can also dsquery. ... This next command will search for and disable any accounts not used for 4 ...
(microsoft.public.win2000.active_directory)
Re: AD HOUSEKEEPING
... You can try DSQUERY to find all inactive accounts in particular ... want to get rid of all inactive user accounts and computer accounts. ... There is plenty advice on how to accomplish this in Server 2003 mode using ... dsquery etc but we are stuck with Windows 2000 DCs at the moment. ...
(microsoft.public.windows.server.active_directory)