Thanks, got it sorted out for the most part. Went with this for now: (&(objectCategory=person)(objectClass=user)(userAccountControl=512))
Limits it to just people and active accounts with passwords that can expire. Works out as our "service" accounts dont have expiration's on the passwords and this pulls in all the real people whos accounts havent been disabled while skipping things like machines/servers. For me it also means not having to manage users/groups to ensure new users get placed in a group for the Guacamole "filter". Instead any new user should be pulled in by this automatically. I found ADExplorer to be a very helpful tool for testing queries prior to trying them in Guacamole. -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
