Active Directory Search that works - Ambiguous Name Resolution

I am not a big fan of having to specify filters using the syntax prescribed for Get-ADuser.  Ambiguous Name Resolution is an old API that allows you to query against multiple attributes at the same time. There is some more information on ANR here http://support.microsoft.com/kb/243299

By default, the following attributes are set for ANR:

  • GivenName
  • Surname
  • displayName
  • LegacyExchangeDN
  • msExchMailNickname
  • RDN
  • physicalDeliveryOfficeName
  • proxyAddress
  • sAMAccountName

It turns out you just need to pass in an LDAP Query. Once you get the list of results, you can pipe them into the Get-ADuser cmdlet to get the user objects as you would expect them. All we have to do is build an LDAP Filter and query against an attribute called ANR. This will return all objects that have an attribute from the list above that maches User. You can kind of think of it as a wildcard search on steroids.

Function Get-User {
param(
[Parameter(ValueFromPipeline)]
$User
)
BEGIN {import-module activedirectory}
 
PROCESS {
 
   $filter = "(&(ObjectClass=User)(ANR=$User))" 
   Get-ADObject -LDAPFilter $filter  |
   Get-ADUser
}
 
}

Hope this is helpful.

Comments (1) -

you have a great blog here! would you like to make some invite posts on my blog?

Comments are closed