Get members of Active Directory Group and check if they are enabled or disabled

Question

What is the fastest way to get a list of all members/users in a given AD group and determine whether or not a user is enabled (or disabled)?

We are potentially talking about 20K users, so I would like to avoid hitting the AD for each individual user.

Answer 1

If you're on .NET 3.5 and up, you should check out the System.DirectoryServices.AccountManagement (S.DS.AM) namespace. Read all about it here:

• Managing Directory Security Principals in the .NET Framework 3.5
• MSDN docs on System.DirectoryServices.AccountManagement

Basically, you can define a domain context and easily find users and/or groups in AD:

// set up domain context PrincipalContext ctx = new PrincipalContext(ContextType.Domain);  // find the group in question GroupPrincipal group = GroupPrincipal.FindByIdentity(ctx, "YourGroupNameHere");  // if found.... if (group != null) {    // iterate over members    foreach (Principal p in group.GetMembers())    {       Console.WriteLine("{0}: {1}", p.StructuralObjectClass, p.DisplayName);        // do whatever you need to do to those members       UserPrincipal theUser = p as UserPrincipal;        if(theUser != null)       {           if(theUser.IsAccountLockedOut())            {                ...           }           else           {                ...           }       }    } } 

The new S.DS.AM makes it really easy to play around with users and groups in AD!