Search code examples
c#active-directorydistinguishedname

Get manager's employees from AD

I am trying to get a list of employees of a manager given his DN. Assuming logged in user is a manager,

1) Search for the manager in active directory using the sAMAccountName (i.e. Domain ID) and retrieve the distinguishedName

2) Search for all user objects in active directory with the "manager" attribute equal to the previously retrieved distinguishedName

However, my Directory Entry Collection is always empty. Here is what I have done, assuming user/manager's DN is given.

private static List<DirectoryEntry> GetUserDEByManagerDN(string sDN)
{
    string adPath = ConfigurationManager.AppSettings["ADPath"].ToString();
    DirectoryEntry de = new DirectoryEntry(adPath + "/" + sDN);
    List<DirectoryEntry> lsUsers = new List<DirectoryEntry>();

    using (DirectorySearcher Search = new DirectorySearcher())
    {
        Search.SearchRoot = de;
        Search.Filter = "(&(manager=" + sDN + "))";
        //Search.Filter = "(&(manager=" + sDN + ")(extensionAttribute14=INV))";
        Search.SearchScope = SearchScope.Base;  // Also tried SearchScope.Subtree
        SearchResultCollection Results = Search.FindAll();

        if (null != Results)  // Results is not null but has zero length
        {
            foreach (SearchResult Result in Results)
            {
                DirectoryEntry deUser = Result.GetDirectoryEntry();

                if (null != deUser)
                    lsUsers.Add(deUser);
            }
        }
    }
    return lsUsers;
}

I also tried escaping DN using:

string sEscapedDN = sDN.Replace('\\', '\x5C').Replace(')', '\x29').Replace('(', '\x28').Replace('*', '\x2A');

No Luck. Any help is appreciated.

Solution

  • Following itsme86's suggestion to set the container that has all of the users and Camilo Terevinto's specific suggestion to remove manager's DN from AD path, the issue was resolved. I also had to change the search scope from base to subtree.

    Below is what worked for me:

    private static List<DirectoryEntry> GetUserDEByManagerDN(string sManagerDN)
{
    string adPath = ConfigurationManager.AppSettings["ADPath"].ToString();

    /* This was one of the issues  */
    //DirectoryEntry de = new DirectoryEntry(adPath + "/" + sManagerDN);
    DirectoryEntry de = new DirectoryEntry(adPath);

    List<DirectoryEntry> lsUsers = new List<DirectoryEntry>();

    using (DirectorySearcher Search = new DirectorySearcher())
    {
        Search.SearchRoot = de;

        /* I had to include extension attribute 14 to get rid of some unusual "users", like Fax, special accounts, etc. You might not need it
        //Search.Filter = "(manager=" + sDN + ")";
        Search.Filter = "(&(manager=" + sDN + ")(extensionAttribute14=INV))";

        //Search.SearchScope = SearchScope.Base;  
        Search.SearchScope = SearchScope.Subtree;
        SearchResultCollection Results = Search.FindAll();

        if (null != Results)
        {
            foreach (SearchResult Result in Results)
            {
                DirectoryEntry deUser = Result.GetDirectoryEntry();

                if (null != deUser)
                    lsUsers.Add(deUser);
            }
        }
    }
    return lsUsers;
}