locked
two equal signs (==) in anr not working RRS feed

  • Question

  • I have added the following 2 entities to my Domain:

    PS C:\Users\Administrator.LH269> Get-ADUser -LDAPFilter '(anr==leon)'
    DistinguishedName : CN=Leon1,CN=Users,DC=LH269,DC=com
    Enabled           : True
    GivenName         : Jennifer
    Name              : Leon1
    ObjectClass       : user
    ObjectGUID        : 942dd033-6414-471b-b142-77ac954c3d07
    SamAccountName    : leon-s
    SID               : S-1-5-21-2040647692-1963463148-3417863429-1151
    Surname           : Leon
    UserPrincipalName : Leon1@LH269.com
    
    DistinguishedName : CN=Leon\, Jennifer,CN=Users,DC=LH269,DC=com
    Enabled           : True
    GivenName         : Jennifer
    Name              : Leon, Jennifer
    ObjectClass       : user
    ObjectGUID        : ff0aae88-83ad-4118-a76f-fdd90242ead5
    SamAccountName    : leon
    SID               : S-1-5-21-2040647692-1963463148-3417863429-1145
    Surname           : Leon-Jarama
    UserPrincipalName : Leon@LH269.com
    

    When i execute the following query:

    Get-ADUser -LDAPFilter '(anr==leon)'
    

    I would expect to get only 1 response: CN=Leon\, Jennifer,CN=Users,DC=LH269,DC=com

    Why do i get 2 results ? In ANR documentation it clearly say when using anr==XXX:

    You can force ANR to require an exact match on any of the attributes in the table by starting the value with the equal sign, "=" (so the filter has two equal signs)
    


    Wednesday, May 23, 2018 11:15 AM

Answers

  • In one case surname is "Leon", an exact match. In the other case sAMAccountName is "leon", also an exact match (case insensitive). The ANR feature searches any of several attributes (depending on OS), such as displayName, givenName, Name (RDN), physicalDeliveryOfficeName, proxyAddresses, sAMAccountName, sn (Surname), and mailNickName. When you use "==", it searches for an exact match in any of the ANR attributes. The ANR attributes, and details on how it works (including"==") documented here:

    https://social.technet.microsoft.com/wiki/contents/articles/22653.active-directory-ambiguous-name-resolution.aspx


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    • Marked as answer by ilan.sch Thursday, May 24, 2018 3:39 AM
    Wednesday, May 23, 2018 8:36 PM