A friend asked me about setting up a query for returning all the users in one group.

I first tried to set it up by using the wizard which I could noit get to work and then I found the option called “Custon Search” which uses a standard LDAP query. I tried this and after a little fiddeling around finding the correct CN I came up with this:

(&(objectcategory=person)(objectclass=user)(memberof=CN=Group,OU=OrgUnit,DC=domain,DC=local))

The problem from the beginning was that I did not use the CN (eg CN=Group ,OU=OrgUnit,DC=domain,DC=local)

If you want to find all users NOT in a certain group you use:

(&(objectcategory=person)(objectclass=user)(!(memberof=CN=Group,OU=OrgUnit,DC=domain,DC=local)))

While looking around I also found this for finding disabled users:

(&(objectcategory=person)(objectclass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))

Here is a link to some other LDAP queries.