A friend asked me about setting up a query for returning all the users in one group.
I first tried to set it up by using the wizard which I could noit get to work and then I found the option called “Custon Search” which uses a standard LDAP query. I tried this and after a little fiddeling around finding the correct CN I came up with this:
(&(objectcategory=person)(objectclass=user)(memberof=CN=Group,OU=OrgUnit,DC=domain,DC=local))
The problem from the beginning was that I did not use the CN (eg CN=Group ,OU=OrgUnit,DC=domain,DC=local)
If you want to find all users NOT in a certain group you use:
(&(objectcategory=person)(objectclass=user)(!(memberof=CN=Group,OU=OrgUnit,DC=domain,DC=local)))
While looking around I also found this for finding disabled users:
(&(objectcategory=person)(objectclass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))
Here is a link to some other LDAP queries.