Avatar of maqskywalker
 asked on

C# LDAP query to get group members from a Microsoft Active Directory group

Hi Experts,

I'm using C# in a ASP.NET Core 5.0 MVC Web Application.

I'm using the System.DirectoryServices 5.0 nuget package in my core application.

I'm using the technique described in this article.

Using Active Directory in .NET

I used this method from the above article to create my own filter that queries my organization's Microsoft Active Directory 

My method is in my HomeController.cs .

private void GetAllUsers()
SearchResultCollection results;    
DirectorySearcher ds = null;    
DirectoryEntry de = new    DirectoryEntry(GetCurrentDomainPath());        
ds = new DirectorySearcher(de);    
ds.Filter = "(&(objectCategory=User)(objectClass=person))";        
results = ds.FindAll();        
foreach (SearchResult sr in results)    {        
    // Using the index zero (0) is required!        

Open in new window

My Active Directory Group Setup

I have an Active Directory group called AcmeEmployees 

I have assigned some suboordinate groups to the AcmeEmployees group.

These are the suboordinate groups that I have assigned to the AcmeEmployees group:






The AcmeAccountants group contains 8 users

The AcmeEngineers group contains 10 users

The AcmeLawyers group contains 6 users

Example 1

I’m trying to create a filter that will give me all the users of all the suboordinate groups that belong to the AcmeEmployees group.


I created this filter using this rule LDAP_MATCHING_RULE_IN_CHAIN 


// get all the members of subgroups that are members of Group AcmeEmployees - returns 24 users

ds.Filter = "(&(objectCategory=user)(memberOf:1.2.840.113556.1.4.1941:=CN=AcmeEmployees,OU=Universal,OU=Groups,OU=ACME,DC=com))";


This filter gives me 24 users. That is exactly what I want. 

It gets me all the users from all the groups belonging to AcmeEmployees group.


The problem with this filter is that it takes like 13 seconds to finish running.

Reference Article:


Example 2


Another filter I created was this one using logical OR and AND statements and hardcoding the groups. 


// get all users belonging to AcmeAccounts and AcmeEngineers and AcmeLawyers groups - returns 24 users

ds.Filter = "(&(&(objectCategory=user))(|(memberOf=CN=AcmeAccountants,OU=Universal,OU=Groups,OU=ACME,DC=com)" +

    "(memberOf=CN=AcmeEngineers,OU=Universal,OU=Groups,OU=ACME,DC=com)" +




This filter gives me 24 users. But I don’t want to hard code the groups in my filter.

I only want to reference the main group in my filter in case I add more suboordinate groups to it.

My Question:



Is there another way to the filter I created in Example 1 above?

So it doesn’t take like 13 seconds to run.




Is there another way to write that same filter without using LDAP_MATCHING_RULE_IN_CHAIN?

C#MicrosoftActive Directory

Avatar of undefined
Last Comment

8/22/2022 - Mon

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes