locked
How to get a list of users for a given exchange server in a reasonable amount of time? RRS feed

  • Question

  • User1198986307 posted

    I'm trying to get a list of users (samaccountname property) for a given Exchange server and File server. I'm trying to do the following queries:

    (&(objectCategory=person)(msexchhomeservername=*XYZEXCH01))

    (&(objectCategory=person)(homedirectory=\\XYZFILE01\*))

    Has anyone done this? Any ideas on how to speed this AD query up?

    Thanks in advance.

    Monday, April 24, 2006 4:33 PM

All replies

  • User1354132231 posted
    You can try adding more indexed attributes to see if that will help.  Right now, you are hitting every contact in your organization too (though objectCategory is indexed).

    Try adding "(sAMAccountType=805306368)" as this specifies that it must be a user security principal as well (and this is indexed).
    Tuesday, April 25, 2006 10:46 AM
  • User1198986307 posted

    Hey Ryan,

    Thanks for your help. Adding the sAMAccountType property to the filter did help some of the speed issues. I never could get the query to run with any decent speed. I'm not an LDAP/AD guru so it's trial and error for me.

    Here is what I ended up using:
    (&(objectCategory=person)(sAMAccountType=805306368)(msexchhomeservername=*)(!(samaccountname=-*))(!(samaccountname=_*))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

    So what I have is a filter to return all results with an objectCategory of person, the sAMAccountType, where the exchange server is populated, the samaccountname does not start with - or _, and finally where the account is not disabled.

    Thanks again.

    Tuesday, May 2, 2006 11:47 PM
  • User1354132231 posted
    Well, writing good LDAP queries (or writing them optimally) can be a little bit of an art.  The good news is that you can test them using ldp.exe and the STATS control which will tell you if you are hitting an index or not.  I think you need to use admin credentials to use the STATS control however.

    You can rearrange your filter a little and it might help.  Windows 2003 has a better index processor, but you might be outside what it can do.  Specifically, the (!) and bitwise operation make it such that you cannot use indexes efficiently.  You can try to fix this by rearranging your filter:

    (&
        (objectClass=user)
        (objectCategory=person)
        (sAMAccountType=805306368)
        (msexchhomeservername=*)
        (!
           (|
                (&(sAMAccountType=805306368)(sAMAccountName=-*))
                (&(sAMAccountType=805306368)(sAMAccountName=_*))
                (&(sAMAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=2))
           )
        )
    )

    I am attempting to add indexed attributes into all the & portions and also put them around the bitwise filter which does not use index.  I tested this on my domain and as long as I had paging and put some PropertiesToLoad values in there (so it did not try to retrieve everything), it hauled.


    Wednesday, May 3, 2006 1:59 PM
  • User1198986307 posted

    Hey Dunnry,

    Thanks for your help. You are right, AD queries are art. The query you crafted (and I use that word because it looks like art to me) was right on the money and got things running much faster.

    Thanks again.

    -Tony

    Sunday, June 25, 2006 5:37 PM