I use Active Directory Membership Provider to authenticate users.  It works great from the top-level down.  The problem I'm facing now is due to the structure of our AD.  I need to limit the group of users to 5 different OU's and few individual accounts while restricting access to any other users in the domain.   I don't have any control over the structure of the AD.  The way I have it setup now is that all users can login and then I just use roles to show/hide the section of the site, but I really need to block anyone who is not a part of this group of users from even being able to login.  Is there any way to use a filter in the connection string or is there a better way to approach this?  I haven't tried to extend the provider, I figured it was best to stop here first before getting into that.  Hopefully this makes some sort of sense.

Any help or pointers would be great.  thanks!