Get manager's employees from AD

Question

I am trying to get a list of employees of a manager given his DN. Assuming logged in user is a manager,

1) Search for the manager in active directory using the sAMAccountName (i.e. Domain ID) and retrieve the distinguishedName

2) Search for all user objects in active directory with the "manager" attribute equal to the previously retrieved distinguishedName

However, my Directory Entry Collection is always empty. Here is what I have done, assuming user/manager's DN is given.

private static List<DirectoryEntry> GetUserDEByManagerDN(string sDN)
{
    string adPath = ConfigurationManager.AppSettings["ADPath"].ToString();
    DirectoryEntry de = new DirectoryEntry(adPath + "/" + sDN);
    List<DirectoryEntry> lsUsers = new List<DirectoryEntry>();

    using (DirectorySearcher Search = new DirectorySearcher())
    {
        Search.SearchRoot = de;
        Search.Filter = "(&(manager=" + sDN + "))";
        //Search.Filter = "(&(manager=" + sDN + ")(extensionAttribute14=INV))";
        Search.SearchScope = SearchScope.Base;  // Also tried SearchScope.Subtree
        SearchResultCollection Results = Search.FindAll();

        if (null != Results)  // Results is not null but has zero length
        {
            foreach (SearchResult Result in Results)
            {
                DirectoryEntry deUser = Result.GetDirectoryEntry();

                if (null != deUser)
                    lsUsers.Add(deUser);
            }
        }
    }
    return lsUsers;
}

I also tried escaping DN using:

string sEscapedDN = sDN.Replace('\\', '\x5C').Replace(')', '\x29').Replace('(', '\x28').Replace('*', '\x2A');

No Luck. Any help is appreciated.

I'd try to remove the filter and ensure that the value passed to the filter corresponds to that field of at least one result. — Camilo Terevinto, Jul 30 '18 at 21:39
if I remove the search filter, I get one result which is user's DN — NoBullMan, Jul 30 '18 at 22:13
It sounds like maybe your initial `de` is too specific. Are you setting it to the container that has all of your users? The search root needs to be something that all of your users can be found in. Not so broad that it takes forever to search and not so narrow that it misses what you're looking for. — itsme86, Jul 30 '18 at 22:55
To add to what @itsme86 mentioned: surely the user isn't their own manager. I'd guess you need to strip out the user's name and just use `new DirectoryEntry(adPath)` — Camilo Terevinto, Jul 30 '18 at 23:00
Perfect! Worked. I removed user's DN from AD path and changed search scope from Base to Subtree and got all 60 users under manager DN i was testing with. Now, if someone creates an answer from the comments, I will mark it as answer. — NoBullMan, Jul 31 '18 at 01:21
@NoBullMan - If no one answers, you can write an answer on your own citing the attribution to the commentators. Cheers :) — Am_I_Helpful, Jul 31 '18 at 09:55

score 1 · Accepted Answer · answered Aug 03 '18 at 11:39

Following itsme86's suggestion to set the container that has all of the users and Camilo Terevinto's specific suggestion to remove manager's DN from AD path, the issue was resolved. I also had to change the search scope from base to subtree.

Below is what worked for me:

private static List<DirectoryEntry> GetUserDEByManagerDN(string sManagerDN)
{
    string adPath = ConfigurationManager.AppSettings["ADPath"].ToString();

    /* This was one of the issues  */
    //DirectoryEntry de = new DirectoryEntry(adPath + "/" + sManagerDN);
    DirectoryEntry de = new DirectoryEntry(adPath);

    List<DirectoryEntry> lsUsers = new List<DirectoryEntry>();

    using (DirectorySearcher Search = new DirectorySearcher())
    {
        Search.SearchRoot = de;

        /* I had to include extension attribute 14 to get rid of some unusual "users", like Fax, special accounts, etc. You might not need it
        //Search.Filter = "(manager=" + sDN + ")";
        Search.Filter = "(&(manager=" + sDN + ")(extensionAttribute14=INV))";

        //Search.SearchScope = SearchScope.Base;  
        Search.SearchScope = SearchScope.Subtree;
        SearchResultCollection Results = Search.FindAll();

        if (null != Results)
        {
            foreach (SearchResult Result in Results)
            {
                DirectoryEntry deUser = Result.GetDirectoryEntry();

                if (null != deUser)
                    lsUsers.Add(deUser);
            }
        }
    }
    return lsUsers;
}

Thanks, didn't know I could do that! – NoBullMan Aug 09 '18 at 23:35 — NoBullMan, Aug 09 '18 at 23:35
Glad I could help brother. – Zakaria Acharki Aug 10 '18 at 08:11 — Zakaria Acharki, Aug 10 '18 at 08:11

Get manager's employees from AD

1 Answers1