How does AD search work

Hi Scripting Guys.
Could You kindly put me in the picture how does AD Search work (from GUI)
i.e. i tried get-aduser -f{Name -eq “Tom McKinly”} - nothing
if i put “Tom McKinly” to GUI search - it finds “Tom J McKinly” or “Tomas J McKinly”
I also tried
get-aduser -f{(GivenName -like “T*”) - AND (Surname -eq “McKinly”)}
but -like filter is rather slow…

Could you say what filter is used by GUI search tool

Thanks a lot

I don’t know that anyone outside of Microsoft would be able to answer that question. There are various techniques and protocols that can be used to search LDAP directories, some are faster than others. PowerShell also comes with some extra overhead since it is layered on top of .NET and interpreted.

Just to make sure, in the example you provided above, you have a space between the “-” and the “AND”. That space shouldn’t be there. I suspect when you invoke that command you’re not entering the space, correct?

Last, it’s been a little while since I dug into LDAP searches and performance, so I’m a bit rusty, but I think you should search for exact matches first, then for wildcards. So that means instead of this:

Get-ADUser -f {(GivenName -like “T*”) -and (Surname -eq “McKinly”)}

do this:

Get-ADUser -f {(Surname -eq “McKinly”) -and (GivenName -like “T*”)}

I’m not sure that will make a difference, but I believe order matters when using ands and ors, so it may be significantly faster if you search for a specific surname first and then in those results search for givenname values that start with T instead of the other way around.


Thanks. Idea is great and reasonable. Now i am in fly, thats why -and was typed with space and thats why i can try this approach in few days. I let you now, coz i guess it will be interesting for all

Sounds good. Safe travels. :slight_smile:

(Measure-Command {get-aduser -f{(GivenName -like “I*”) -and (Surname -eq “Ivanov”)}}).milliseconds
30-40 ms

(Measure-Command {get-aduser -f{(Surname -eq “Ivanov”) -and (GivenName -like “I*”) }}).milliseconds
30-40 ms

$name = “I*Ivanov”
(Measure-Command {get-aduser -f{Name -like $name }}).milliseconds
600-700 ms

(Measure-Command{Get-ADUser -LDAPFilter “(&(givenname=I*)(sn=Ivanov))”}).milliseconds
fixed 30 ms

(Measure-Command{Get-ADUser -LDAPFilter “(&(sn=Ivanov)(givenname=I*))”}).milliseconds
30-40 ms

It seems, there is no difference in sequence of parametrs

i also played with AD GUI search
even if you put 2 letters with space (i.e. b j) it will find all (GivenNames wich start with B and Surnames which start with J) and (GivenName with J and Surnames with B)
if you missed letters from the end - it will find
if you missed start letter - failed