Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2015-01-21) Finding Attributes Used In Ambiguous Name Resolution (ANR)

Posted by Jorge on 2015-01-21


When an attribute is defined with the bit 2^2 (=4) in the searchFlags property, the attribute is used in ambiguous name resolution (ANR). Ambiguous Name Resolution (ANR) is an efficient search algorithm in Active Directory that allows you to specify complex filters involving multiple naming-related attributes in a single (filter) clause (e.g. (ANR=jorge)). It can be used to locate objects in Active Directory when you know something about the name of the object, but not necessarily which naming attribute has the information. While ANR is usually used to locate user objects, it can be used to find any class of object in Active Directory. ANR is most used in address book lookups. The list of attributes used in ANR is different per AD version. ANR enabled attributes must be indexed.

ADFIND

ADFIND -h R1FSRWDC1.IAMTEC.NET -schema -f "(&(objectClass=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=4))" -dn

OR

ADFIND -h R1FSRWDC1.IAMTEC.NET -bit -schema -f "(&(objectClass=attributeSchema)(searchFlags:AND:=4))" -dn

OR

ADFIND -sc ANR -dn (sorted output: ADFIND -sc ANRL -dn)

image

Figure 1: Example Output

AD PoSH Module

Get-ADObject -Server R1FSRWDC1.IAMTEC.NET -SearchBase $((Get-ADRootDSE).schemaNamingContext) -LDAPFilter "(&(objectClass=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=4))" | %{$_.DistinguishedName}

ADSI Through PoSH

$targetDC = "R1FSRWDC1.IAMTEC.NET"
$rootDSE = [ADSI]"LDAP://$targetDC/RootDSE"
$schemaNamingContext = $rootDSE.schemaNamingContext
$search = New-Object DirectoryServices.DirectorySearcher([ADSI]"")
$Search.SearchRoot = "LDAP://$targetDC/$schemaNamingContext"
$search.filter = "(&(objectClass=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=4))"
$search.FindAll() | %{$_.Properties.distinguishedname}

PS: replace the FQDN of the DC with your info

PS: the opposite of this query can be found by replacing (searchFlags:1.2.840.113556.1.4.803:=4) with (!(searchFlags:1.2.840.113556.1.4.803:=4))

More information:

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: