In a recent project of mine, we needed to get the roles from AD. The AD roles we needed was deep inside the structure of the AD. But when we sat the connection string to point to that branch of the AD tree, none of the users got any of the roles.
That's because when you specify an branch you only get roles and users in that branch. As you can see in the GetUser methods in EPiServer.Security.ActiveDirectoryRoleProvide
There is more than one thing wrong with this method. It seems that the design pattern i EPiServer is to always access private fields, instead of public properties. _factory points to the public DirectoryDataFactory and that could have been change in the Initialize process. This is getting more an more annoying…
We therefore have to (again!!!) copy the whole code of ActiveDirectoryRoleProvide and make changes.
I have basicly made a copy of the ActiveDirectoryRoleProvider and made myself an tag that points to where the users are RootNodeForUsers.
You can therefore with this code add an other branch so you can show a few roles, but have access to all the users.