How does AD search work

This topic contains 6 replies, has 2 voices, and was last updated by  Yegor Lopatin 5 years ago.

  • Author
  • #7248

    Yegor Lopatin

    Hi Scripting Guys.
    Could You kindly put me in the picture how does AD Search work (from GUI)
    i.e. i tried get-aduser -f{Name -eq "Tom McKinly"} – nothing
    if i put "Tom McKinly" to GUI search – it finds "Tom J McKinly" or "Tomas J McKinly"
    I also tried
    get-aduser -f{(GivenName -like "T*") – AND (Surname -eq "McKinly")}
    but -like filter is rather slow...

    Could you say what filter is used by GUI search tool

    Thanks a lot

  • #7255


    I don't know that anyone outside of Microsoft would be able to answer that question. There are various techniques and protocols that can be used to search LDAP directories, some are faster than others. PowerShell also comes with some extra overhead since it is layered on top of .NET and interpreted.

    Just to make sure, in the example you provided above, you have a space between the "-" and the "AND". That space shouldn't be there. I suspect when you invoke that command you're not entering the space, correct?

    Last, it's been a little while since I dug into LDAP searches and performance, so I'm a bit rusty, but I think you should search for exact matches first, then for wildcards. So that means instead of this:

    Get-ADUser -f {(GivenName -like "T*") -and (Surname -eq "McKinly")}

    do this:

    Get-ADUser -f {(Surname -eq "McKinly") -and (GivenName -like "T*")}

    I'm not sure that will make a difference, but I believe order matters when using ands and ors, so it may be significantly faster if you search for a specific surname first and then in those results search for givenname values that start with T instead of the other way around.

  • #7258

    Yegor Lopatin

  • #7264

    Yegor Lopatin

    Thanks. Idea is great and reasonable. Now i am in fly, thats why -and was typed with space and thats why i can try this approach in few days. I let you now, coz i guess it will be interesting for all

  • #7265


    Sounds good. Safe travels. 🙂

  • #7327

    Yegor Lopatin

    (Measure-Command {get-aduser -f{(GivenName -like "I*") -and (Surname -eq "Ivanov")}}).milliseconds
    30-40 ms

    (Measure-Command {get-aduser -f{(Surname -eq "Ivanov") -and (GivenName -like "I*") }}).milliseconds
    30-40 ms

    $name = "I*Ivanov"
    (Measure-Command {get-aduser -f{Name -like $name }}).milliseconds
    600-700 ms

    (Measure-Command{Get-ADUser -LDAPFilter "(&(givenname=I*)(sn=Ivanov))"}).milliseconds
    fixed 30 ms

    (Measure-Command{Get-ADUser -LDAPFilter "(&(sn=Ivanov)(givenname=I*))"}).milliseconds
    30-40 ms

    It seems, there is no difference in sequence of parametrs

  • #7328

    Yegor Lopatin

    i also played with AD GUI search
    even if you put 2 letters with space (i.e. b j) it will find all (GivenNames wich start with B and Surnames which start with J) and (GivenName with J and Surnames with B)
    if you missed letters from the end – it will find
    if you missed start letter – failed

You must be logged in to reply to this topic.