I was recently asked how to find a user when you have data that may be the SamAccountName or in another attribute. My first thought was leveraging Ambiguous Name Resolution (ANR) Search in Active Directory.
ANR enables you to find a user when you have some information about a user, but don’t know exactly to which attribute that data corresponds. For example, if you know the user has “Thor” somewhere, but don’t know exactly what the SAMAccountName is (or DN, SID, name, etc). Submitting an ANR search will query the AD attributes flagged for ANR (attributes must be indexed) and replies with the results (may be more than one user found).
Windows Server 2008 checks the following attributes for ANR queries:
- displayName
- givenName
- legacyExchangeDN
- msDS-AdditionalSamAccountName
- msDS-PhoneticCompanyName
- msDS-PhoneticDepartment
- msDS-PhoneticDisplayName
- msDS-PhoneticFirstName
- msDS-PhoneticLastName
- physicalDeliveryOfficeName
- proxyAddresses
- Name
- sAMAccountName
- sn
Since ANR is an LDAP-specific feature with AD, you have to use a LDAP filter to get it.
Using the Microsoft AD cmdlets included in Windows Server 2008 R2, Get-ADObject performs an ANR search.
For Example:
Import-Module ActiveDirectory
Get-ADObject -LDAPFilter { (&(ObjectClass=User)(ANR=Thor) ) }
The Quest AD cmdlets support ANR natively (of course they do!).
Reference Articles:
- MSDN: Ambiguous Name Resolution (ANR)
- Windows: The Underestimated Ambiguous Name Resolution (ANR) Search in Active Directory
Recent Comments