Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2014-08-12) Interesting Attribute: Measuring Number Of Subordinate Objects (msDS-Approx-Immed-Subordinates)

Posted by Jorge on 2014-08-12


Have you ever wanted to get the count of objects within a certain container? Well, you can use one of the PowerShell script below if you want. BUT…be careful which one you use to make sure you get accurate results!

The constructed attribute "msDS-Approx-Immed-Subordinates" is mainly used by UIs to display the number of direct descendant objects of a container object. As you may know, Active Directory Users And Computers (ADUC), displays a message when the total number of objects exceeds the default limit of 2000 objects.

image

Figure 1: The Approximate Number Of Objects When Exceeding The Default Limit In ADUC

However, it you can of course also use it, but should you? Let have a look at some examples.

One OU with a small number of objects > "OU=Users,OU=W2K12,OU=Recovery-Demo,DC=ADCORP,DC=LAB"

Using the following PowerShell script…

Import-Module ActiveDirectory $ouDN = "OU=Users,OU=W2K12,OU=Recovery-Demo,DC=ADCORP,DC=LAB" Get-ADOrganizationalUnit -Identity $ouDN -Properties "msDS-Approx-Immed-Subordinates"

…you get the output

image

Figure 1: Output When Using The Constructed Attribute (Small Number Of Objects)

As you can see it counted 130 subordinate objects.

Now lets use another method to really count objects. Using the following PowerShell script…

Import-Module ActiveDirectory $ouDN = "OU=Users,OU=W2K12,OU=Recovery-Demo,DC=ADCORP,DC=LAB" Get-ADObject -Filter * -SearchBase $ouDN -SearchScope OneLevel | Measure-Object

…you get the output

image

Figure 2: Output When Really Counting Objects (Small Number Of Objects)

As you can see it counted 105 subordinate objects. This value is correct. The constructed attribute "counted" too many objects.

Now, one OU with a very large number of objects > "OU=Users,OU=Common,OU=Recovery-Demo,DC=ADCORP,DC=LAB"

Using the following PowerShell script…

Import-Module ActiveDirectory $ouDN = "OU=Users,OU=Common,OU=Recovery-Demo,DC=ADCORP,DC=LAB" Get-ADOrganizationalUnit -Identity $ouDN -Properties "msDS-Approx-Immed-Subordinates"

…you get the output

image

Figure 3: Output When Using The Constructed Attribute (Large Number Of Objects)

As you can see it counted 7672 subordinate objects. Compare it with the message in figure 1. It’s the exact same number!

Now lets use another method to really count objects. Using the following PowerShell script…

Import-Module ActiveDirectory $ouDN = "OU=Users,OU=Common,OU=Recovery-Demo,DC=ADCORP,DC=LAB" Get-ADObject -Filter * -SearchBase $ouDN -SearchScope OneLevel | Measure-Object

…you get the output

image

Figure 4: Output When Really Counting Objects (Large Number Of Objects)

As you can see it counted 20005 subordinate objects. This value is correct. The constructed attribute "counted" not enough objects. It missed 13033 objects. That’s quite a lot!

Moral of the story? Do not use the constructed attribute "msDS-Approx-Immed-Subordinates" as it is far from accurate. If you need an accurate number then get the objects you want and then pipe to the "Measure-Object" CMDlet. That will give you an accurate number of subordinate objects!

MSDN: ms-DS-Approx-Immed-Subordinates attribute

MSDN: 3.1.1.4.5.15 msDS-Approx-Immed-Subordinates

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: