Authenticate against specific group or OU in Active Directory RRS feed

  • Question

  • User-1852889626 posted


    Please help I am trying to get this to work at list for a week now. I was able to authenticate against the entire Active Directory, but thats not what I need.

    I need only a the people in this OU to be able to login. (OU=helpdesk,OU=Ac,DC=ash,DC=com")


    Dim ldapPath As String = "LDAP://" & domainName // this is a variable that being passed that looks like OU=helpdesk,OU=Ac,DC=ash,DC=com keep in mind I am able to login with any user in AD but I only need from this OU(Helpdesk) 

    Dim dirEntry As New DirectoryEntry(ldapPath, userName, userPassword, AuthenticationTypes.Secure)          

    Dim dirSearcher As New DirectorySearcher(dirEntry)

                dirSearcher.Filter ="(&(objectClass=group)(CN=KBAMHD))"  // this group has all the people in helpdesk            

    Dim results As SearchResultCollection = dirSearcher.FindAll()




    Form1.userForm2 = usernametextbox.Text          



    Catch ex As Exception

                MsgBox("Login fail")

                MsgBox("Sorry, wrong credentials")

    End Try

    Tuesday, August 14, 2012 2:09 PM


  • User636753033 posted

    A few things to try.

    Check to make sure you are using the full ldap string, for example LDAP://ash.com/OU=helpdesk,OU=Ac,DC=ash,DC=com.

    For your filter try using the memberof property with the full ldap path to the help desk group dirsearcher.Filter="
    (&(memberof=CN=KBAMHD,OU=helpdesk,DC=ash,DC=com)(samaccountname=userName))". That will return only that username that is a member of that group. Instead of hardcoding he CN for the group name I would suggest making a function that searched for the group using its CN and returned its path as a string.

    What you can also try loading the memberof property with propertiestoload.add. When the user attempts to login you can loop through the collection and see if the user is a member of that group and if not deny access.

    Also since you are just trying to authenticate the user you can use findone instead of findall since you are only wanting to find that one group and not all possible matches.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, August 16, 2012 7:30 PM