If you are using .NET 3.5 and above, you should check the System.DirectoryServices.AccountManagement (S.DS.AM) namespace. Read more here:
Basically, you can define the context of a domain and easily find users and / or groups in AD:
// set up domain context PrincipalContext ctx = new PrincipalContext(ContextType.Domain); // find a user UserPrincipal user = UserPrincipal.FindByIdentity(ctx, "SomeUserName"); if(user != null) { // do something here.... } // find the group in question GroupPrincipal group = GroupPrincipal.FindByIdentity(ctx, "YourGroupNameHere"); // if found.... if (group != null) { // iterate over members foreach (Principal p in group.GetMembers()) { Console.WriteLine("{0}: {1}", p.StructuralObjectClass, p.DisplayName); // do whatever you need to do to those members } }
The new S.DS.AM makes it very easy to play with users and groups in AD:
Computer accounts will appear as ComputerPrincipal (derived from Principal ), so you can easily separate user and computer accounts.
If you cannot or do not want to switch to S.DS.AM, you can also separate users and computers using objectCategory instead of objectClass in your LDAP filter. objectCategory is useful anyway, as it is indexed and not ambiguous, so query performance will be much better.
For the real user, use objectCategory = Person , and for the computer, use objectCategory = Computer in your LDAP filter.