Have you looked into Identity Collector option?
Identity Collector - Technical Overview
We have have it before it was called IDC and are very satisfied. As it says on the tin:
Identity Collector key benefits over standard AD Query
- Reduces the load on the Security Gateway - the agent is doing the queries instead of the Security Gateway.
- Reduces the load on the DCs - the native Windows API used consumes less resources.
- The Identity Collector requires no administrator or administrator-like permissions. Only permission required is read-only access to the domain security logs.
- One Identity Collector can serve multiple Security Gateways, even from different CMA.
Plus nothing to install on the client.
We are 25000+ users organization and AD query was not built for that scale. plus we wanted to avoid any installs on the client.