Introduction
Very recently I’ve been troubleshooting an issue related to LDAP queries against Active Directory using .Net’s System.DirectoryServices namespace. I was surprised to see that the main query was using an LDAP filter (the equivalent of a WHERE SQL statement) with a concatenation of different conditions in order to find a user by its usual attributes such as display name, first name, last name, email address…
Active Directory Domain Services as well as Lightweight Domain Service both come with a handy feature in order to search through well-known user attribute in a simplified manner: Ambiguous Name Resolution (ANR). Exchange and Outlook specialist know this very well since it’s that feature that is used when Outlook looks for a recipient against the Global Address List (GAL).
Let’s start with an example (assuming you’re familiar with LDAP filter syntax). In your code, you wish to search for a user whose name (first, last or whatever) is “Bishop”, if you use the plain LDAP syntax, it would give something like:
(&(objectClass=user)(|(name=bishop)(displayName=bishop)(mail=bishop)(sn=bishop)(samAccountName=bishop)(proxyAddresses=bishop))
Using ANR, it will be:
(&(objectClass=user)(|(anr=bishop))
You get the point: not necessary to think about all name-related attributes when building your filter, ANR does it for you and moreover, it ensures consistency with Outlook’s behavior, which is great if you’re looking for a uniform user experience.
Attributes includes in ANR Search
The list of attributes queries by ANR differs a little depending upon the version of Windows Server AD is running on.
Windows 2000 Server
- Display-Name
- Given-Name
- Legacy-Exchange-DN
- Physical-Delivery-Office-Name
- Proxy-Addresses
- RDN
- SAM-Account-Name
- Surname
Windows Server 2003
- Display-Name
- Given-Name
- Legacy-Exchange-DN
- ms-DS-Additional-Sam-Account-Name
- Physical-Delivery-Office-Name
- Proxy-Addresses
- RDN
- SAM-Account-Name
- Surname
Active Directory Application Mode (ADAM)
Windows Server 2003 R2
- Display-Name
- Given-Name
- Legacy-Exchange-DN
- ms-DS-Additional-Sam-Account-Name
- Physical-Delivery-Office-Name
- Proxy-Addresses
- RDN
- SAM-Account-Name
- Surname
Windows Server 2008
- Display-Name
- Given-Name
- Legacy-Exchange-DN
- ms-DS-Additional-Sam-Account-Name
- ms-DS-Phonetic-Company-Name
- ms-DS-Phonetic-Department
- ms-DS-Phonetic-Display-Name
- ms-DS-Phonetic-First-Name
- ms-DS-Phonetic-Last-Name
- Physical-Delivery-Office-Name
- Proxy-Addresses
- RDN
- SAM-Account-Name
- Surname
Windows Server 2008 R2
- Display-NameGiven-Name
- Legacy-Exchange-DN
- ms-DS-Additional-Sam-Account-Name
- ms-DS-Phonetic-Company-Name
- ms-DS-Phonetic-Department
- ms-DS-Phonetic-Display-Name
- ms-DS-Phonetic-First-Name
- ms-DS-Phonetic-Last-Name
- Physical-Delivery-Office-Name
- Proxy-Addresses
- RDN
- SAM-Account-Name
- Surname
Windows Server 2012
- Display-NameGiven-Name
- Legacy-Exchange-DN
- ms-DS-Additional-Sam-Account-Name
- ms-DS-Phonetic-Company-Name
- ms-DS-Phonetic-Department
- ms-DS-Phonetic-Display-Name
- ms-DS-Phonetic-First-Name
- ms-DS-Phonetic-Last-Name
- Physical-Delivery-Office-Name
- Proxy-Addresses
- RDN
- SAM-Account-Name
- Surname
Query it yourself!
Not sure about the Windows version AD runs on? Simply issue and LDAP query using the filter hereunder against the schema partition to retrieve the list of attribute used in ANR:
(&(objectCategory=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=4))
Matching
While standard match will return either exact or a list of possible matches, specific match restrict to exact match
Customizing you AD’s Schema to add attributes to ANR
Add non-standard attribute to ANR search will require AD Schema modification. The link hereunder provides the, rather simple, procedure:
More Information
- MS Support KB: Ambiguous Name Resolution for LDAP in Windows 2000
- MSDN: System.DirectoryServices Namespace
- MS TechNet: How Active Directory Searches Work
- Book: The .Net Developer's Guide to Directory Services Programming
Happy AD Querying!
Marc