Marc Lognoul's IT Infrastructure Blog

Cloudy with a Chance of On-Prem

Windows: The Underestimated Ambiguous Name Resolution (ANR) Search in Active Directory

Windows Logo

Introduction

Very recently I’ve been troubleshooting an issue related to LDAP queries against Active Directory using .Net’s System.DirectoryServices namespace. I was surprised to see that the main query was using an LDAP filter (the equivalent of a WHERE SQL statement) with a concatenation of different conditions in order to find a user by its usual attributes such as display name, first name, last name, email address…

Active Directory Domain Services as well as Lightweight Domain Service both come with a handy feature in order to search through well-known user attribute in a simplified manner: Ambiguous Name Resolution (ANR). Exchange and Outlook specialist know this very well since it’s that feature that is used when Outlook looks for a recipient against the Global Address List (GAL).

Let’s start with an example (assuming you’re familiar with LDAP filter syntax). In your code, you wish to search for a user whose name (first, last or whatever) is “Bishop”, if you use the plain LDAP syntax, it would give something like:

(&(objectClass=user)(|(name=bishop)(displayName=bishop)(mail=bishop)(sn=bishop)(samAccountName=bishop)(proxyAddresses=bishop))

Using ANR, it will be:

(&(objectClass=user)(|(anr=bishop))

You get the point: not necessary to think about all name-related attributes when building your filter, ANR does it for you and moreover, it ensures consistency with Outlook’s behavior, which is great if you’re looking for a uniform user experience.

Attributes includes in ANR Search

The list of attributes queries by ANR differs a little depending upon the version of Windows Server AD is running on.

Windows 2000 Server

Windows Server 2003

Active Directory Application Mode (ADAM)

Windows Server 2003 R2

Windows Server 2008

Windows Server 2008 R2

Windows Server 2012

Query it yourself!

Not sure about the Windows version AD runs on? Simply issue and LDAP query using the filter hereunder against the schema partition to retrieve the list of attribute used in ANR:

(&(objectCategory=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=4))

Matching

While standard match will return either exact or a list of possible matches, specific match restrict to exact match

Customizing you AD’s Schema to add attributes to ANR

Add non-standard attribute to ANR search will require AD Schema modification. The link hereunder provides the, rather simple, procedure:

More Information

Happy AD Querying!

Marc

Advertisements

Author: Marc Lognoul

Relentless cloud professional. Restless rider. Happy husband. Proud father. Opinions are my own.

Comments are closed.