Authenticating to multiple OUs in Active Directory

I'm using the Active Directory Membership Provider with the following configuration:

   <connectionStrings>
      <add name="MyConnString" connectionString="LDAP://domaincontroller/OU=Product Users,DC=my,DC=domain,DC=com" />
   </connectionStrings>

  <membership defaultProvider="MyProvider">
     <providers>
        <clear />
        <add name="MyProvider" connectionStringName="MyConnString"
             connectionUsername="my.domain.com\service_account"
             connectionPassword="biguglypassword"
             type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
     </providers>
  </membership>

This works perfectly except it requires ALL of my users to be in the "Product Users" OU when I would actually like to have all of my users organized into various child OUs under our "Pr开发者_Python百科oduct Users" OU. Is this possible?

(Note that this is a partial repost of this question but the question I'm asking here was never answered there.)

---

Authentication against AD is done based on connection scope as i undetstand it. Essentially what that means is that everyhting within the context of the connection string is considered ...

if you have your connection as:

LDAP://domaincontroller/OU=Domain Users,DC=my,DC=domain,DC=com

any user will then be authenticated that is a member of the domain.

from there you should add the Windows token based role provider and configure it something like this ...

<!-- use windows authentication -->
<authentication mode="Windows" />

<!-- use the Windows role provider -->    
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider" />

<!-- global authorization rules -->
<authorization>
    <allow roles="Domain Admins, Product Users"/>
    <deny users="*" />
</authorization>

This locks down the application for use by only domain admins and users within the OU "Product Users" AND all of its children recursively.

from there you can do further "context based" checks for other functions e.g. ...

If(User.IsInRole("Product Admins"))
{
   // do something groovy
}
else
   throw new SecurityException();

What does this mean ...

It means you have fine grained control of the security of your application logic based on domain user group membership, if a user is in your domain this will authenticate them, but it may not authorise them (thats down to your role provider configuration).

Authenticate: Identify the user.

Authorise : Grant permissions / access to the user.