这样查询AD:

$dn       = "DC=mydomain,DC=local";
$group_DN = "CN=Intra,OU=Common Security Groups,DC=mydomain,DC=local";
$filter   = "(&(objectCategory=user)(memberOf=$group_DN))";
// ...
$sr       = ldap_search($ad, $dn, $filter);

查看关于 LDAP 的 MSDN 文章搜索过滤器语法 以获取有关更复杂过滤器的信息.

Have a look at the MSDN article about the LDAP search filter syntax for info on more complex filters.

请务必注意该页面下方的特殊字符部分.正确的解决方案必须先通过转义机制传递 $group_DN，然后才能在过滤器字符串中使用它！

Be sure to pay attention to the Special Characters section down on that page. A correct solution must pass $group_DN through an escaping mechanism before using it in the filter string!

始终尝试构建尽可能具体的过滤器.让 LDAP 服务器整理出您不想要的记录会更有效，而不是通过网络传输的记录多于您需要的记录，然后在客户端丢弃其中的一半.

Always try build filters as specific as possible. It is more efficient to let the LDAP server sort out records you don't want, instead of having more records transferred over the wire than you need and throw away half of them on the client.