How does AD search work

Tagged: ,

This topic contains 6 replies, has 2 voices, and was last updated by Profile photo of Yegor Lopatin Yegor Lopatin 3 years, 10 months ago.

  • Author
    Posts
  • #7248
    Profile photo of Yegor Lopatin
    Yegor Lopatin
    Participant

    Hi Scripting Guys.
    Could You kindly put me in the picture how does AD Search work (from GUI)
    i.e. i tried get-aduser -f{Name -eq "Tom McKinly"} – nothing
    if i put "Tom McKinly" to GUI search – it finds "Tom J McKinly" or "Tomas J McKinly"
    I also tried
    get-aduser -f{(GivenName -like "T*") – AND (Surname -eq "McKinly")}
    but -like filter is rather slow...

    Could you say what filter is used by GUI search tool

    Thanks a lot

  • #7255
    Profile photo of Poshoholic
    Poshoholic
    Member

    I don't know that anyone outside of Microsoft would be able to answer that question. There are various techniques and protocols that can be used to search LDAP directories, some are faster than others. PowerShell also comes with some extra overhead since it is layered on top of .NET and interpreted.

    Just to make sure, in the example you provided above, you have a space between the "-" and the "AND". That space shouldn't be there. I suspect when you invoke that command you're not entering the space, correct?

    Last, it's been a little while since I dug into LDAP searches and performance, so I'm a bit rusty, but I think you should search for exact matches first, then for wildcards. So that means instead of this:

    Get-ADUser -f {(GivenName -like "T*") -and (Surname -eq "McKinly")}

    do this:

    Get-ADUser -f {(Surname -eq "McKinly") -and (GivenName -like "T*")}

    I'm not sure that will make a difference, but I believe order matters when using ands and ors, so it may be significantly faster if you search for a specific surname first and then in those results search for givenname values that start with T instead of the other way around.

  • #7258
    Profile photo of Yegor Lopatin
    Yegor Lopatin
    Participant

  • #7264
    Profile photo of Yegor Lopatin
    Yegor Lopatin
    Participant

    Thanks. Idea is great and reasonable. Now i am in fly, thats why -and was typed with space and thats why i can try this approach in few days. I let you now, coz i guess it will be interesting for all

  • #7265
    Profile photo of Poshoholic
    Poshoholic
    Member

    Sounds good. Safe travels. 🙂

  • #7327
    Profile photo of Yegor Lopatin
    Yegor Lopatin
    Participant

    Hi!
    so,
    (Measure-Command {get-aduser -f{(GivenName -like "I*") -and (Surname -eq "Ivanov")}}).milliseconds
    30-40 ms

    (Measure-Command {get-aduser -f{(Surname -eq "Ivanov") -and (GivenName -like "I*") }}).milliseconds
    30-40 ms

    $name = "I*Ivanov"
    (Measure-Command {get-aduser -f{Name -like $name }}).milliseconds
    600-700 ms

    (Measure-Command{Get-ADUser -LDAPFilter "(&(givenname=I*)(sn=Ivanov))"}).milliseconds
    fixed 30 ms

    (Measure-Command{Get-ADUser -LDAPFilter "(&(sn=Ivanov)(givenname=I*))"}).milliseconds
    30-40 ms

    It seems, there is no difference in sequence of parametrs

  • #7328
    Profile photo of Yegor Lopatin
    Yegor Lopatin
    Participant

    i also played with AD GUI search
    even if you put 2 letters with space (i.e. b j) it will find all (GivenNames wich start with B and Surnames which start with J) and (GivenName with J and Surnames with B)
    if you missed letters from the end – it will find
    if you missed start letter – failed

You must be logged in to reply to this topic.