Ambiguous Name Resolution (ANR) is an efficient search algorithm in Active Directory that allows you to specify complex filters
involving multiple naming-related attributes in a single clause. It can be used to locate objects in Active Directory when you know something
about the name of the
object, but not necessarily which naming attribute has the information. While ANR is usually used to locate user objects, it can be used to find any class of object in Active Directory.
By default, the following naming-related attributes are supported by Ambiguous Name Resolution in Active Directory (the table lists the lDAPDisplayName's
of the attributes):
The important factor is the schema version of the
forest, not the domain or forest functional level or the operating system of the domain controller that handles the query. AD
LDS in the table above refers to Active Directory Lightweight Directory Services (formerly called Active Directory Application Mode, or ADAM). Note that the "Name" attribute above is the "Relative Distinguished Name" (RDN) of the object. For user objects,
this is the Common Name (the value of the "cn" attribute). The last three attributes in the table, "mail", "mailNickName", and "msExchResourceSearchProperties" are only included if you have the correct version of Exchange.
To determine the schema version of your forest you can use dsquery as follows, assuming your domain
dsquery * "cn=Schema,cn=Configuration,dc=MyDomain,dc=com" -Scope base -Attr objectVersion
Or you can use the PowerShell Active Directory module cmdlet Get-ADObject as follows:
Get-ADObject -Identity "cn=Schema,cn=Configuration,dc=MyDomain,dc=com" -Properties objectVersion | Select objectVersion
This assumes your domain is MyDomain.com, so you must adjust for your domain.
↑ Return to Top
As an example, suppose you want to find information about someone named "Smith". You can use the LDAP syntax filter:
The "anr" in the filter is short for Ambiguous Name Resolution. This will return objects where the string "smith" appears at the start of any of the naming attributes listed in the table. As always, the search is not case sensitive. In other words, in Windows
2000 Active Directory (schema version 13 for simplicity here) the filter will be converted into the following LDAP filter:
where "|" is the "OR" operator and "*" is the wildcard character. In other words, it finds all objects where any of the designated naming attributes starts with the string "smith". However, note that there is no wildcard character in the clause involving
the legacyExchangeDN attribute. Wildcards are not allowed for this attribute (because it is DN syntax) and the clause filters on an exact match.
Better yet, suppose you know the person's name is "Jim Smith". You can use the filter:
In this case Active Directory will search for all objects where any of the naming attributes start with the string "jim smith", plus all objects where (givenName=jim*) and (sn=smith*), plus objects where (givenName=smith*) and (sn=jim*). The algorithm considers
only the first space in the string when breaking it up into two values. For example, the filter:
(anr=Jim Smith Williams)
will query for objects where any of the naming attributes matches "Jim Smith Williams*", plus objects where (givenName=jim*) and (sn=smith williams*), plus objects where (givenName=smith williams*) and (sn=jim*).
The behavior described above with regard to the givenName and sn attributes is the default. However, you can assign values to the dSHeuristics attribute for the forest to alter this. Specifically, you can require that the string before the first space in
the ANR value is always compared to givenName, while the rest of the string is compared to sn, or the reverse. See the references to the dSHeuristics attribute below in the "Other Resources" section for more information. The dSHeuristics is an attribute of
the object "cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,<Domain>" (where <Domain> is the distinguished name of the domain).
You can force ANR to require an exact match on any of the attributes in the table by starting the value with the equal sign, "=" (so the filter has two equal signs). For example, to find objects where any of the attributes in the table exactly matches "Jim
Smith", you can use the following LDAP filter:
All of the attributes in the table above apply to user, contact, and computer objects, with the following exceptions. The msDS-AdditionalSamAccountName attribute only applies to computer objects. The sAMAccountName attribute does not apply to contact objects.
Ambiguous Name Resolution can be used to retrieve information on any class of object in Active Directory.
ANR can be used anywhere that LDAP syntax filters are supported. Following are script examples to retrieve information about a user named "Jim Smith" using Ambiguous Name Resolution.
Use the following at the command prompt of a domain controller with Windows Server 2003 or above:
dsquery * -Filter "(anr=Jim Smith")
The following requires PowerShell V2 and the Active Directory module:
Get-ADUser -LDAPFilter "(anr=Jim Smith)"
The following requires the Quest ActiveRoles Management Shell for Active Directory:
Get-QADUser -Anr "Jim Smith"
VBScript can be used on any 32-bit or 64-bit Windows client joined to a domain.
Dim adoCommand, adoConnection, strBase, strFilter
Dim strAttributes, objRootDSE, strDNSDomain
Dim strQuery, adoRecordset, strName, strDN
' Setup ADO objects.
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
Set adoCommand.ActiveConnection = adoConnection
' Search entire Active Directory domain.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")
strBase = "<LDAP://" & strDNSDomain &
' Filter on user with name "Jim Smith".
strFilter = "(anr=Jim Smith)"
' Comma delimited list of attribute values to retrieve.
strAttributes = "sAMAccountName,distinguishedName"
' Construct the LDAP syntax query.
strQuery = strBase & ";" & strFilter &
& strAttributes & ";subtree"
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") =
' Run the query.
Set adoRecordset = adoCommand.Execute
' Enumerate the resulting recordset.
Do Until adoRecordset.EOF
' Retrieve values and display.
strName = adoRecordset.Fields("sAMAccountName").Value
strDN = adoRecordset.Fields("distinguishedName").Value
Wscript.Echo strDN & " (" & strName &
' Move to the next record in the recordset.
' Clean up.
When using an Exchange client such as Outlook the user can enter partial data in the From, To, CC, or Bcc fields. ANR is used to find the best matches in Active Directory. If for some reason you want to require an exact match with any of the attributes in
the ANR set, you can prefix the string with the equal sign. For example, you could enter "=aliasname".
The attributes in the table at the top of this article are the default ANR set. The Active Directory schema determines which attributes are in this set. You can query for a list of the attributes in the ANR set. Set the base of the query to the distinguished
name of your schema container and use the following LDAP syntax filter:
This filters on attributes in the schema where the fANR bit (with bit mask 4) of the searchFlags attribute is set. This filter can be used with dsquery *, a VBScript program, or PowerShell. For example, if your domain is MyDomain.com, you can use the dsquery
command line utility as follows to output the value of the lDAPDisplayName property of all attributes in the ANR set:
dsquery * "cn=Schema,cn=Configuration,dc=MyDomain,dc=com" -Filter "(searchFlags:1.2.840.1135126.96.36.1993:=4)" -Attr lDAPDisplayName
Or, you can use the Get-ADObject PowerShell Active Directory cmdlet as follows:
Get-ADObject -SearchBase "cn=Schema,cn=Configuration,dc=MyDomain,dc=com" -LDAPFilter "(searchFlags:1.2.840.1135188.8.131.523:=4)" -Properties lDAPDisplayName | Select lDAPDisplayName
You might want to add attributes to the Ambiguous Name Resolution set in your environment to allow people to use the feature with other attributes. For example, you might want users to be able to search on Employee ID numbers, in which case you would add
either the employeeID or employeeNumber attribute to the set. Only string attributes can be added to the ANR set, a both of these are actually string syntax.
The best way to implement this is to use the Active Directory Schema
MMC. You will need to do this on your
Schema Master. To find which Domain Controller hosts the Schema Master FSMO role for the forest you can use dsquery:
dsquery server -Forest -hasFSMO Schema
Or, you can use the Get-ADForest PowerShell cmdlet:
Or, if you have PowerShell V1 you can use the following:
"Schema Master: " + $Forest.SchemaRoleOwner
The steps to add an attribute to the ANR Set are as follows:
You will need to wait for these changes to replicate before you can use the new attribute with ANR. If you have only one domain you
might want to not check the box to make the attribute replicate to the Global Catalog, as this initiates forest wide replication of the GC that
should be done during off-peak hours.
When the above settings are applied, the AD Schema MMC performs the following actions: