Share via

Active Directory: Ambiguous Name Resolution

  • Article

Introduction

Ambiguous Name Resolution (ANR) is an efficient search algorithm in Active Directory that allows you to specify complex filters involving multiple naming-related attributes in a single clause. It can be used to locate objects in Active Directory when you know something about the name of the object, but not necessarily which naming attribute has the information. While ANR is usually used to locate user objects, it can be used to find any class of object in Active Directory.

Attributes in ANR Set

By default, the following naming-related attributes are supported by Ambiguous Name Resolution in Active Directory (the table lists the lDAPDisplayName's of the attributes):

Windows Server 2000 AD LDS 2003 (and R2) 2008/2012 (and R2)
Schema Version 13 All 30, 31 44, 47, 56, 69
displayName X X X X
givenName (First Name) X
X X
legacyExchangeDN X
X X
msDS-AdditionalSamAccountName

X X
msDS-PhoneticCompanyName


X
msDS-PhoneticDepartment


X
msDS-PhoneticDisplayName


X
msDS-PhoneticFirstName


X
msDS-PhoneticLastName


X
Name (RDN) X X X X
physicalDeliveryOfficeName X X X X
proxyAddresses X X X X
sAMAccountName X
X X
sn (Last Name) X
X X
mail X X X X
mailNickname X X X X
msExchResourceSearchProperties X X X X

The important factor is the schema version of the forest, not the domain or forest functional level or the operating system of the domain controller that handles the query. AD LDS in the table above refers to Active Directory Lightweight Directory Services (formerly called Active Directory Application Mode, or ADAM). Note that the "Name" attribute above is the "Relative Distinguished Name" (RDN) of the object. For user objects, this is the Common Name (the value of the "cn" attribute). The last three attributes in the table, "mail", "mailNickName", and "msExchResourceSearchProperties" are only included if you have the correct version of Exchange.

To determine the schema version of your forest you can use dsquery as follows, assuming your domain is MyDomain.com:

dsquery * "cn=Schema,cn=Configuration,dc=MyDomain,dc=com" -Scope base -Attr objectVersion

Or you can use the PowerShell Active Directory module cmdlet Get-ADObject as follows:

Get-ADObject -Identity "cn=Schema,cn=Configuration,dc=MyDomain,dc=com" -Properties objectVersion | Select objectVersion

This assumes your domain is MyDomain.com, so you must adjust for your domain.

↑ Return to Top

How ANR Works

As an example, suppose you want to find information about someone named "Smith". You can use the LDAP syntax filter:

(anr=Smith)

The "anr" in the filter is short for Ambiguous Name Resolution. This will return objects where the string "smith" appears at the start of any of the naming attributes listed in the table. As always, the search is not case sensitive. In other words, in Windows 2000 Active Directory (schema version 13 for simplicity here) the filter will be converted into the following LDAP filter:

(|(displayName=smith*)(givenName=smith*)(legacyExchangeDN=smith)(physicalDeliveryOfficeName=smith*)(proxyAddresses=smith*)(Name=smith*)(sAMAccountName=smith*)(sn=smith*))

where "|" is the "OR" operator and "*" is the wildcard character. In other words, it finds all objects where any of the designated naming attributes starts with the string "smith". However, note that there is no wildcard character in the clause involving the legacyExchangeDN attribute. Wildcards are not allowed for this attribute (because it is DN syntax) and the clause filters on an exact match.

Better yet, suppose you know the person's name is "Jim Smith". You can use the filter:

(anr=Jim Smith)

In this case Active Directory will search for all objects where any of the naming attributes start with the string "jim smith", plus all objects where (givenName=jim*) and (sn=smith*), plus objects where (givenName=smith*) and (sn=jim*). The algorithm considers only the first space in the string when breaking it up into two values. For example, the filter:

(anr=Jim Smith Williams)

will query for objects where any of the naming attributes matches "Jim Smith Williams*", plus objects where (givenName=jim*) and (sn=smith williams*), plus objects where (givenName=smith williams*) and (sn=jim*).

↑ Return to Top

Details

The behavior described above with regard to the givenName and sn attributes is the default. However, you can assign values to the dSHeuristics attribute for the forest to alter this. Specifically, you can require that the string before the first space in the ANR value is always compared to givenName, while the rest of the string is compared to sn or the reverse. See the references to the dSHeuristics attribute below in the "Other Resources" section for more information. The dSHeuristics is an attribute of the object "cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,<Domain>" (where <Domain> is the distinguished name of the domain).

You can force ANR to require an exact match on any of the attributes in the table by starting the value with the equal sign, "=" (so the filter has two equal signs). For example, to find objects where any of the attributes in the table exactly matches "Jim Smith", you can use the following LDAP filter:

(anr==Jim Smith)

All of the attributes in the table above apply to user, contact, and computer objects, with the following exceptions. The msDS-AdditionalSamAccountName attribute only applies to computer objects. The sAMAccountName attribute does not apply to contact objects. Ambiguous Name Resolution can be used to retrieve information on any class of object in Active Directory.

↑ Return to Top

Examples

ANR can be used anywhere that LDAP syntax filters are supported. Following are script examples to retrieve information about a user named "Jim Smith" using Ambiguous Name Resolution.

Dsquery Example

Use the following at the command prompt of a domain controller with Windows Server 2003 or above, or any client with RSAT (Remote Server Administration Tools):

dsquery * -Filter "(anr=Jim Smith")

PowerShell Example with Get-ADUser

The following requires PowerShell V2 and the Active Directory module:

Get-ADUser -LDAPFilter "(anr=Jim Smith)"

PowerShell Example with Get-QADUser

The following requires the Quest ActiveRoles Management Shell for Active Directory:

Get-QADUser -Anr "Jim Smith"

VBScript Example

VBScript can be used on any 32-bit or 64-bit Windows client joined to a domain.

Option Explicit

Dim adoCommand, adoConnection, strBase, strFilter
Dim strAttributes, objRootDSE, strDNSDomain
Dim strQuery, adoRecordset, strName, strDN

' Setup ADO objects.
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
Set adoCommand.ActiveConnection = adoConnection

' Search entire Active Directory domain.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")
strBase = "<LDAP://" & strDNSDomain & ">"

' Filter on user with name "Jim Smith".
strFilter = "(anr=Jim Smith)"

' Comma delimited list of attribute values to retrieve.
strAttributes = "sAMAccountName,distinguishedName"

' Construct the LDAP syntax query.
strQuery = strBase & ";" & strFilter & ";" _
    & strAttributes & ";subtree"
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False

' Run the query.
Set adoRecordset = adoCommand.Execute

' Enumerate the resulting recordset.
Do Until adoRecordset.EOF
    ' Retrieve values and display.
    strName = adoRecordset.Fields("sAMAccountName").Value
    strDN = adoRecordset.Fields("distinguishedName").Value
    Wscript.Echo strDN & " (" & strName & ")"
    ' Move to the next record in the recordset.
    adoRecordset.MoveNext
Loop

' Clean up.
adoRecordset.Close
adoConnection.Close

↑ Return to Top

ANR in Outlook and Exchange

When using an Exchange client such as Outlook the user can enter partial data in the From, To, CC, or Bcc fields. ANR is used to find the best matches in Active Directory. If for some reason you want to require an exact match with any of the attributes in the ANR set, you can prefix the string with the equal sign. For example, you could enter "=aliasname".

↑ Return to Top

How to Find Attributes in ANR Set

The attributes in the table at the top of this article are the default ANR set. The Active Directory schema determines which attributes are in this set. You can query for a list of the attributes in the ANR set. Set the base of the query to the distinguished name of your schema container and use the following LDAP syntax filter:

(searchFlags:1.2.840.113556.1.4.803:=4)

This filters on attributes in the schema where the fANR bit (with bit mask 4) of the searchFlags attribute is set. This filter can be used with dsquery *, a VBScript program, or PowerShell. For example, if your domain is MyDomain.com, you can use the dsquery command line utility as follows to output the value of the lDAPDisplayName property of all attributes in the ANR set:

dsquery * "cn=Schema,cn=Configuration,dc=MyDomain,dc=com" -Filter "(searchFlags:1.2.840.113556.1.4.803:=4)" -Attr lDAPDisplayName

Or, you can use the Get-ADObject PowerShell Active Directory cmdlet as follows:

Get-ADObject -SearchBase "cn=Schema,cn=Configuration,dc=MyDomain,dc=com" -LDAPFilter "(searchFlags:1.2.840.113556.1.4.803:=4)" -Properties lDAPDisplayName | Select lDAPDisplayName

↑ Return to Top

Add Attributes to the ANR Set

You might want to add attributes to the Ambiguous Name Resolution set in your environment to allow people to use the feature with other attributes. For example, you might want users to be able to search on Employee ID numbers, in which case you would add either the employeeID or employeeNumber attribute to the set. Only string attributes can be added to the ANR set. Both employeeID and employeeNumber are string syntax.

The best way to implement this is to use the Active Directory Schema MMC. You will need to do this on your Schema Master. To find which Domain Controller hosts the Schema Master FSMO role for the forest you can use dsquery:

dsquery server -Forest -hasFSMO Schema

Or, you can use the Get-ADForest PowerShell cmdlet:

(Get-ADForest).SchemaMaster

Or, if you have PowerShell V1 you can use the following:

$Forest= [system.directoryservices.activedirectory.Forest]::GetCurrentForest()
"Schema Master: " + $Forest.SchemaRoleOwner

The steps to add an attribute to the ANR Set are as follows:

  1. Logon to the domain controller that has the Schema Master FSMO role for the forest with an account that is a member of the Schema Admins group.
  2. Register the file schmmgmt.dll, if it has not already been registered. At a command prompt, enter the following: regsvr32 %systemroot%\system32\schmmgmt.dll
  3. Open the Active Directory Schema MMC (called ADSchema.msc).
               
  4. Expand the Active Directory Schema and select the "Attributes" branch.
  5. Find the attribute you want to add to the ANR set, right-click the attribute name, and select "Properties". In this example employeeID has been selected.
       
  6. Make sure the following boxes are checked:
    • Index this attribute in the Active Directory
    • Ambiguous Name Resolution (ANR)
    • Replicate this attribute to the Global Catalog
  7. Click "Apply", then "OK", and close the MMC.

You will need to wait for these changes to replicate before you can use the new attribute with ANR. If you have only one domain you might want to not check the box to make the attribute replicate to the Global Catalog, as this initiates forest-wide replication of the GC that should be done during off-peak hours.

When the above settings are applied, the AD Schema MMC performs the following actions:

  • Sets the fANR bit (bit mask 4) of the searchFlags property of the attribute object in the Schema container.
  • Sets the fATTINDEX bit (bit mask 1) of searchFlags. The fANR bit will not take affect unless the fATTINDEX bit is also set.
  • If you specify that the attribute is replicated to the Global Catalog, it assigns "TRUE" to the isMemberOfPartialAttributeSet property of the attribute in the schema.

↑ Return to Top

See Also

↑ Return to Top

Other Resources

↑ Return to Top