Does anyone know an easy way to pull only active users from a Windows domain controller?

The Setup:
2 domain controllers.
The main is 2003 with ADS etc.
The second domain is an old NT domain at another location.

Due to firewalls and routing I can only query the 2k3 box, it in turn will show all users (including disabled) on the NT domain via the trust.

For various reason LDAP is not an option for me.

Essentially I need a way to pull only the enabled/active users from the DC's.

'wbinfo -u' in this case shows all users-including disabled accounts.

And no, I have no idea why the standing policy is to disable the accounts instead of removing them outright.

The reason:
I am setting up a jabber server and a couple other services that pull active accounts to the DB and will rip when the account is shut off. I am forced to use postgres for auth instead of LDAP due to the afore mentioned restrictions placed on me.

Anyone have any suggestions?

You could still use LDAP (the ldapclient tools) to feed the user
info into postgres on a scheduled basis.
(minus authentication, hostinfo and all or knowledge of your AD schema)
ldapsearch '(!(loginDisable=true))' cn


Cheers,
Tink

The NT domain does not have LDAP configured-it's a REALLY obsolete setup at the second location. Know if this would transverse to the second domain?

(Thanks for the re- )

lt0