Get members of Active Directory Group and check if they are enabled or disabled

Karsten Strøbæk picture Karsten Strøbæk · Aug 30, 2011 · Viewed 63.1k times · Source

What is the fastest way to get a list of all members/users in a given AD group and determine whether or not a user is enabled (or disabled)?

We are potentially talking about 20K users, so I would like to avoid hitting the AD for each individual user.

Answer

marc_s picture marc_s · Aug 30, 2011

If you're on .NET 3.5 and up, you should check out the System.DirectoryServices.AccountManagement (S.DS.AM) namespace. Read all about it here:

Basically, you can define a domain context and easily find users and/or groups in AD:

// set up domain context
PrincipalContext ctx = new PrincipalContext(ContextType.Domain);

// find the group in question
GroupPrincipal group = GroupPrincipal.FindByIdentity(ctx, "YourGroupNameHere");

// if found....
if (group != null)
{
   // iterate over members
   foreach (Principal p in group.GetMembers())
   {
      Console.WriteLine("{0}: {1}", p.StructuralObjectClass, p.DisplayName);

      // do whatever you need to do to those members
      UserPrincipal theUser = p as UserPrincipal;

      if(theUser != null)
      {
          if(theUser.IsAccountLockedOut()) 
          {
               ...
          }
          else
          {
               ...
          }
      }
   }
}

The new S.DS.AM makes it really easy to play around with users and groups in AD!