header image

ANR and AD searches

Posted by: | December 30, 2014 Comments Off on ANR and AD searches |

A comment on this post -  http://richardspowershellblog.wordpress.com/2014/12/29/using-givenname-and-surname-instead-of-samaccountname/

suggested using ANR – Ambiguous Name Resolution as a method of searching AD.

 

ANR provides a fuzzy search mechanism for AD – think wildcard search. If you perform an ANR search you’ll get anything matches – using your input as the root of the wildcard search – across display name, given name, name, samaccountname and surname.

 

Consider the searches shown last time based on the name Dave Green. Lets perform a ANR search on the first name

£> Get-ADUser -Filter {anr -eq ‘Dave’} | select Name

Name
—-
Jo Daven
Dave Green
Dave Brown
Dave White

Get-ADUser -LDAPFilter "(anr=Dave)" | select Name

will give the same result.  In my AD I get 3 results. Any account where any of the names listed above that start with the letters ‘Dave’  will be returned. Notice that in one of the results the letters are in the surname not the first name.

 

Similar issues if you perform ANR searches based on surname

£> Get-ADUser -LDAPFilter "(anr=Green)" | select Name

Name
—-
Dave Green
Fred Green
Dale Greensmith

or

Get-ADUser -Filter {anr -eq ‘Green’} | select Name

 

This time notice that the surname Greensmith is returned as well as Green.

 

You could use the whole name:

£> Get-ADUser -LDAPFilter "(anr=Dave Green)" | select Name

or

£> Get-ADUser -Filter {anr -eq ‘Dave Green’} | select Name

Name
—-
Dave Green
Dave Greenly

 

NOTE: I created the Dave Greenly account after the previous searches which is why it didn’t show earlier.

 

ANR searches are also slower than searching on specific attributes because a number of properties are being searched.

 

An ANR search is a good first step if  you’re not sure what you’re looking for but you will usually need to refine the search using –Identity parameter or more specific filters if you if you want to get to a single object.

under: PowerShell and Active Directory

Comments are closed.

Categories