Link to home
Start Free TrialLog in
Avatar of maqskywalker

asked on

C# LDAP query to get group members from a Microsoft Active Directory group

Hi Experts,

I'm using C# in a ASP.NET Core 5.0 MVC Web Application.

I'm using the System.DirectoryServices 5.0 nuget package in my core application.

I'm using the technique described in this article.

Using Active Directory in .NET

I used this method from the above article to create my own filter that queries my organization's Microsoft Active Directory 

My method is in my HomeController.cs .

private void GetAllUsers()
SearchResultCollection results;    
DirectorySearcher ds = null;    
DirectoryEntry de = new    DirectoryEntry(GetCurrentDomainPath());        
ds = new DirectorySearcher(de);    
ds.Filter = "(&(objectCategory=User)(objectClass=person))";        
results = ds.FindAll();        
foreach (SearchResult sr in results)    {        
    // Using the index zero (0) is required!        

Open in new window

My Active Directory Group Setup

I have an Active Directory group called AcmeEmployees 

I have assigned some suboordinate groups to the AcmeEmployees group.

These are the suboordinate groups that I have assigned to the AcmeEmployees group:






The AcmeAccountants group contains 8 users

The AcmeEngineers group contains 10 users

The AcmeLawyers group contains 6 users

Example 1

I’m trying to create a filter that will give me all the users of all the suboordinate groups that belong to the AcmeEmployees group.


I created this filter using this rule LDAP_MATCHING_RULE_IN_CHAIN 


// get all the members of subgroups that are members of Group AcmeEmployees - returns 24 users

ds.Filter = "(&(objectCategory=user)(memberOf:1.2.840.113556.1.4.1941:=CN=AcmeEmployees,OU=Universal,OU=Groups,OU=ACME,DC=com))";


This filter gives me 24 users. That is exactly what I want. 

It gets me all the users from all the groups belonging to AcmeEmployees group.


The problem with this filter is that it takes like 13 seconds to finish running.

Reference Article:


Example 2


Another filter I created was this one using logical OR and AND statements and hardcoding the groups. 


// get all users belonging to AcmeAccounts and AcmeEngineers and AcmeLawyers groups - returns 24 users

ds.Filter = "(&(&(objectCategory=user))(|(memberOf=CN=AcmeAccountants,OU=Universal,OU=Groups,OU=ACME,DC=com)" +

    "(memberOf=CN=AcmeEngineers,OU=Universal,OU=Groups,OU=ACME,DC=com)" +




This filter gives me 24 users. But I don’t want to hard code the groups in my filter.

I only want to reference the main group in my filter in case I add more suboordinate groups to it.

My Question:



Is there another way to the filter I created in Example 1 above?

So it doesn’t take like 13 seconds to run.




Is there another way to write that same filter without using LDAP_MATCHING_RULE_IN_CHAIN?

Avatar of maqskywalker

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial