will be helpful for those in need Yes it's possible with an attribute scoped query. It requires W2K3 AD or later but will give you the all of the users that have a particular attribue i.e. membership in a group or in your case multiple groups (intersection of groups). One of the best examples is from Joe Kaplan and Ryan Dunns book "The .NET Developers Guide to Directory Services Programming" for AD work it's hard to beat look at page 179 for a good walk through. Caveat:At this point you are past trivial searches in AD and a number of things are becoming important like the search root, scope and the effect of searching through some potentially HUGE set of data for the items you want. Looking through 50 or 60K users to find the members of a group does have an effect on performance and be prepared to do paged results or similar in case the dataset is large. Kaplan/Ryan do an excellent job of down to earth work to get you where you need to be. That said, I have used them on two AD projects with great success. Being able retrieve the data from AD without recursive queries is VERY worth while and I found that it is fast as long as I control the size of my dataset.
How Can I Query LDAP for All Users By Filter in Grails?
With these it helps In case you want to support multiple LDAP servers then sensible option will be making ID configurable, i.e. ask users for unique attribute during deployment. This will work for you in 100% of cases if your customers use LDAP for authentication, since even directory server doesn't support unique attributes itself, they have to keep at least one of them unique manually in order to enable connected systems to authenticate against LDAP as it is unlikely that you can find software that will operate normally when there are duplicates in the authentication backend. Of course, during deployment you can suggest default attribute that is known to be unique in certain LDAP implementation (like samAccountName in AD) and you will hit correct one in most cases.
C# LDAP Query to Get Managers of users in certain groups
help you fix your problem I was able to get the results I needed by taking the following approach: Dynamically build a LDAP query using the groups Load the users from group 1, 2, and 3 into a list using a custom function Use Linq to get a distinct list of managers from the resulting list of users in groups 1, 2, and 3 Dynamically build another LDAP query using the distinguished names of the managers Load the manager records into another list and combine with the original list of users
// class variable
// build the query appender
string queryAppender = "";
foreach (string activeDirectoryGroup in activeDirectoryGroups)
queryAppender += "(memberof=CN=" + activeDirectoryGroup + ",OU=Groups,OU=<<ou>>,DC=<<dc>>,DC=<<dc>>,DC=<org>>)";
// create the ldap query string
var ldapQueryForUsersInDtGroups = "(&(objectClass=user)(objectCategory=person)(|" + queryAppender + "))";
// first get the users that belong to the active directory groups...
recordsToInsert = getEmployeeRecordsFromLdapQuery(ldapQueryForUsersInDtGroups);
// then, query again to make sure we are including the managers for the people returned from the first query
var distinctManagers = (from record in recordsToInsert select record.manager).Distinct();
// build an ldap query to get only the records for the managers we need
// example query string with 2 managers:
queryAppender = "";
foreach (var manager in distinctManagers)
queryAppender += "(distinguishedName=" + manager + ")";
// ldap query filter for the managers
var ldapQueryForManagers = "(&(objectClass=user)(objectCategory=person)(|" + queryAppender + "))";
// combine the result set with the managers result set
// filter off any duplicates.
uniqueRecordsToInsert = recordsToInsert.GroupBy(x => x.employeeId).Select(x => x.First()).ToList<ActiveDirectoryUser>();
How do I filter an LDAP query for groups containing a specific user?