How To Query Active Directory

- 17.32

Using LDAP and Active Directory with C# 101
photo src: auth0.com

Ambiguous Name Resolution (ANR) is a feature available in Microsoft's Active Directory which allows resolution of multiple objects on a computer network based on limited input. The user will be able to select the correct entry from these results. To allow this feature to operate, attributes need to be ANR enabled in the directory schema. This is an extension of the Lightweight Directory Access Protocol. When using Microsoft's Outlook or Outlook Web App, partial information can be typed into the To: From: and CC: fields which will result in an ANR query to provide potential matches.


LDAP Monitoring Security Software for Detecting Reconnaissance ...
photo src: www.stealthbits.com


Maps, Directions, and Place Reviews



LDAP ANR

The Lightweight Directory Access Protocol LDAP uses default attributes flagged for ambiguous name resolution to filter results of an input query. In Microsoft Active Directory the searchFlags attribute is a bit flag that defines special properties related to searching with the attribute.

In Windows 2000 the following attributes are set by default for ANR:

  • GivenName
  • Surname
  • displayName
  • LegacyExchangeDN
  • msExchMailNickname
  • RDN
  • physicalDeliveryOfficeName
  • proxyAddress
  • sAMAccountName


How To Query Active Directory Video



Example ANR Search

Many users with the same name are present in the Active Directory. When Bill White, Bill Whitehead, and Bill Smith all exist, and ANR is enabled, a search for "Bill White" looks like "anr=Bill White". Active Directory will:

  • Notice the "anr" and the embedded space.
  • Check the schema to determine which objects have ANR and SEARCH index bits set.
  • Perform an "or" search for "Bill White*" against the default attributes listed above.
  • Then searches for: Given-Name=Bill* AND Surname=White*

The search results returned with matches for "Bill White" are: Bill White because "Bill White*" matches displayName and Bill Whitehead because "Bill*" AND "White*" matches Given-Name=Bill* AND Surname=White*

But, Bill Smith does not appear because: "Bill*" AND "White*" does not match the Given-Name and Surname of Bill Smith

Source of the article : Wikipedia



EmoticonEmoticon

 

Start typing and press Enter to search