ldapsearch find disabled users in Active Directory

If you want to find the disabled users in your AD environment, you can use a specific filter. Additionally, due to the number of records returned, I had to turn on paging (pr = some arbitrarily high value) so I could actually retrieve more than just the first 1000 entries.

echo '' | ldapsearch -E 'pr=4500' -z max -b 'dc=prod1,dc=example,dc=com' -s 'sub' -x -D 'CN=B Stack15,OU=Users,DC=prod1,DC=example,DC=com' -W -H 'ldaps://dc4.prod1.example.com:636' '(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))' dn

The userAccountControl item in the search filter stores various useful information. The := operator is a bitmask.



  1. https://www.petri.com/find-disabled-and-inactive-active-directory-users-accounts-with-powershell-revisited
  2. Found from web search string “userAccountControl:1.2.840.113556.1.4.803” https://blogs.technet.microsoft.com/mempson/2011/08/24/useraccountcontrol-flags/
  3. https://support.microsoft.com/en-us/help/305144/how-to-use-the-useraccountcontrol-flags-to-manipulate-user-account-pro

Playbook that Converts Local to AD Users

If you like removing local users in favor of the domain users, check out how to do that in shell at my post Convert Local to AD Users.

If you want to do it at scale, you can wrap it with a bit of ansible. Check out the full thing with syntax highlighting on gitlab: https://gitlab.com/bgstack15/former-gists/blob/master/cladu.yml/cladu.yml

# Only use one thisuser at a time, for the fail/changed logic to work correctly!
# usage: ansible-playbook -l targethost1 /etc/ansible/books/stable/cladu.yml -v -e 'thisuser=joneill'

- name: book that runs cladu
  hosts: all
  become: yes
  become_user: root
  become_method: sudo

  - name: copy in rpm
      src: /etc/ansible/files/bgscripts-core-1.3-9.noarch.rpm
      dest: /tmp/
      mode: 0644

  - shell: rpm -U --nodeps /tmp/bgscripts-core-1.3-9.noarch.rpm
      warn: no
    register: this_rpm
    - 'not ("is already installed" in this_rpm.stdout or "is already installed" in this_rpm.stderr or this_rpm.rc == 0)'
    - 'not ("is already installed" in this_rpm.stdout or "is already installed" in this_rpm.stderr)'

  - shell: /usr/share/bgscripts/work/cladu.sh -r -g '{{ thisuser }}'
      warn: no
    register: this_shell
    - 'not ("Skipped" in this_shell.stdout or "Failed" in this_shell.stdout)'
    - '"Failed" in this_shell.stdout'

Learn when a user was added or removed from AD domain group

Ripped shamelessly from https://learn-powershell.net/2013/05/21/find-when-a-user-was-added-or-removed-to-a-domain-group-using-powershell-and-repadmin/

I was investigating when a user was added to a group the other day, because I completely missed a member of a different team being added to my linux_admins group, which gets full sudo privileges on every GNU/Linux system in the corporate network.

repadmin /showobjmeta dc1 'CN=Domain Admins,CN=Users,DC=example,DC=com'

Join RHEL6 to Active Directory

There are many things you need to do first, like install the packages and configure pam and nsswitch and resolv.conf which are documented elsewhere and might make it to this document eventually. I was struggling with a RHEL6 server (for which realm is not packaged) and AD.
From EPEL, install msktutil.

kinit admininstrator
adcli join -D domain.example.com -K /etc/krb5.keytab -U administrator --show-details
msktutil -u -s host



Convert Local to AD Users

Project CLADU

CLADU stands for Convert Local to AD User.

When you want to take local accounts and remove them and have the AD user with the exact same name take its place, use cladu.

usage: cladu.sh [-duV] [-gr] [--ng] [--nr] user1 [ user2 user3 ... ]
version 2018-03-09a
-d debug Show debugging info, including parsed variables.
-u usage Show this usage block.
-V version Show script version number.
-g groups Add the AD user to the local groups of the local user. Default is to skip this action.
--ng Do not perform the -g action
-r report Generate report in each user homedir.
--nr Do not perform the -r action
Environment variables:
Parameters override environment variables
CLADU_USER_REPORT any non-null value will perform the -r action.
CLADU_USER_REPORT_FILENAME=converted.txt File to save report to in each homedir
CLADU_GROUPS any non-null value will perform the -g action.
Return values:
0 Normal
1 Help or version info displayed
2 Count or type of flaglessvals is incorrect
3 Incorrect OS type
4 Unable to find dependency
5 Not run as root or sudo

Go check out the entire source to look at the flow of the script.

Get SID from Linux ldapsearch in Active Directory

With the help of a fantastic post on ServerFault, here is a way to find a user’s SID in string format from an ldapsearch against Active Directory.

# Filename: get_sid.sh
# Author: YasithaB
# Startdate: 2018-02-14 15:58
# Title: Script that Converts Sid from AD Ldap Hexadecimal into String
# Purpose: Help convert sid to usable value
# History:
#    2018-02-15 Modified to work with kornshell
# Usage:
#    ldapsearch -b 'dc=prod,dc=example,dc=com' -s 'sub' -x -D 'CN=My Username,OU=Domain Users,DC=prod,DC=example,DC=com' -W -H 'ldaps://adds2.prod.example.com:636' '(cn=Target Username)' objectSid | grep -E '^objectSid:' | awk '{print $2}' | ./get_sid.sh --stdin
# Reference:
#    https://serverfault.com/questions/851864/get-sid-by-its-objectsid-using-ldapsearch/852338#852338
# Improve:
# Document: Below this line

# Base-64 encoded objectSid
case "${1}" in
   "--stdin" ) read OBJECT_ID ;;
   "") : ;;
   *) OBJECT_ID="${1}" ;;

# Decode it, hex-dump it and store it in an array
H="$(echo -n $OBJECT_ID | base64 -d -i | hexdump -v -e '1/1 "%02X"')"

# SID Structure: https://technet.microsoft.com/en-us/library/cc962011.aspx
# LESA = Little Endian Sub Authority
# BESA = Big Endian Sub Authority
# LERID = Little Endian Relative ID
# BERID = Big Endian Relative ID



echo "${SID}"