Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2015-02-10) Finding Attributes With A Subtree Index

Posted by Jorge on 2015-02-10

When an attribute is defined with the bit 2^6 (=64) in the searchFlags property, the attribute is configured to have a subtree index. This index allows Virtual List View (VLV) operations to be more efficient when using a specific attribute as the sort key. In a (very) large DS it also prevents the VLV query to terminate with the "Critical Extension Unavailable" error as a subtree index prevents the use of the special internal table called TEMP. The size of this table can vary, but by default the maximum number of entries is configured to be 10000 (the MaxTempTableSize setting of the Default Query Policy). VLV is a GUI technique that can be used when, ordered lists containing a large number of entries, need to be displayed. When the LDAP protocol is extended to use VLV (request: 2.16.840.1.113730.3.4.9; response: 2.16.840.1.113730.3.4.10), a window that contains a small number of visible list entries is drawn. The visible portion of the list can be relocated to different points in the list by means of scrolling, slider bars, and cursor keys as well as PAGE UP/DOWN keys. The user experience is that the full list can be browsed at will, even though it might contain millions of entries. In fact, the complete list contents are never required at any one time. Rather than retrieve the complete list from wherever it is stored (typically, from disk or a remote server), the server retrieves only the information that is required to display the part of the list that is currently in view on the client. This improves both the response from the server and the speed at which results are listed at the client.


ADFIND -h R1FSRWDC1.IAMTEC.NET -schema -f "(&(objectClass=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=64))" -dn


ADFIND -h R1FSRWDC1.IAMTEC.NET -bit -schema -f "(&(objectClass=attributeSchema)(searchFlags:AND:=64))" -dn


ADFIND -sc SINDEXED -dn (sorted output: ADFIND -sc SINDEXEDL -dn)


Figure 1: Example Output

AD PoSH Module

Get-ADObject -Server R1FSRWDC1.IAMTEC.NET -SearchBase $((Get-ADRootDSE).schemaNamingContext) -LDAPFilter "(&(objectClass=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=64))" | %{$_.DistinguishedName}

ADSI Through PoSH

$rootDSE = [ADSI]"LDAP://$targetDC/RootDSE"
$schemaNamingContext = $rootDSE.schemaNamingContext
$search = New-Object DirectoryServices.DirectorySearcher([ADSI]"")
$Search.SearchRoot = "LDAP://$targetDC/$schemaNamingContext"
$search.filter = "(&(objectClass=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=64))"
$search.FindAll() | %{$_.Properties.distinguishedname}

PS: replace the FQDN of the DC with your info

PS: the opposite of this query can be found by replacing (searchFlags:1.2.840.113556.1.4.803:=64) with (!(searchFlags:1.2.840.113556.1.4.803:=64))

More information:

* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
############### Jorge’s Quest For Knowledge #############
######### ########

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: