Shortcuts when specifying 'objectCategory' in an Active Directory search filter

[Hayim S. Hendeles]

In a recent post, one of our very helpful posters, Joe Richards,
made the following comment about specifying an Active Directory
filter:

"In fact objectcategory=user, shouldn't even be valid. MS converts the
objectcategory=user to objectcategory=person in the background for
you."

While I have no doubts this is true, I have not been able to find
any MS documentation on this, and how it works. I am afraid that not
knowing this information might backfire in some cases.

For example: Since objectCategory is really stored as a DN, and only
objectClass as "person" --- might it be possible that ActiveDirectory
merely convers "objectCategory=person" to "objectClass=person".

Also, will it be more efficient to search for a full DN
-"objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=...."
as opposed to "objectCategory=person"

Lastly, is there any kind of documentation as to exactly what
shortcuts
are allowed when specifying "objectCategory"?

Thanks,
Hayim Hendeles
E-mail: (e-mail address removed)

 

[Joe Richards [MVP]]

The valid values for objectcategory are what you will find in the objectcategory
attributes of the various objects in your AD.

When you specify an objectclass in the objectcategory field it will switch it to
the category of the given class...

For instance, objectclass user maps to objectcategory person, as does
objectclass contact. objectclass computer maps to objectcategory computer so
that one works out well. Simply note the defaultObjectCategory of the specific
class definition in the schema to ascertain what objectCategory it is going to
resolve to.

When I say that it changes to

objectcategory=person

it in reality switches to

objectCategory=CN=Person,CN=Schema,CN=Configuration,...

Most people would be really thrown if I start spouting full filters like that.
You can specify that but I doubt it would save you much since the query analyzer
is going to do it anyway right up front.

This is all very easy to see with Windows Server 2003 DCs by telling the DC to
return stats info. It will return the filter actually used.

For example:

[Mon 08/23/2004 15:27:53.14]
C:\>adfind -default -f objectcategory=user -stats+only

AdFind V01.20.00cpp Joe Richards ([email protected]) August 2004

Using server: 2k3dc01.joe.com
Base DN: DC=joe,DC=com



Statistics
=================================
Elapsed Time: 220 (ms)
Returned 302 entries of 308 visited - (98.05%)

Used Filter:
(objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=joe,DC=com)

Used Indices:
idx_objectCategory:308:N


Analysis
---------------------------------
Hit Rate of 98.05% is Efficient

Indices used:

Index Name : idx_objectCategory
Record Count: 308 (estimate)
Index Type : Normal Attribute Index


Filter Breakdown:

(objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=joe,DC=com)

[Mon 08/23/2004 15:29:51.12]
C:\>


contrast with

[Mon 08/23/2004 15:29:51.12]
C:\>adfind -default -f "&(objectcategory=person)(objectclass=user)" -stats+only

AdFind V01.20.00cpp Joe Richards ([email protected]) August 2004

Using server: 2k3dc01.joe.com
Base DN: DC=joe,DC=com



Statistics
=================================
Elapsed Time: 231 (ms)
Returned 299 entries of 308 visited - (97.08%)

Used Filter:
( & (objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=joe,DC=com)
(objectClass=user) )

Used Indices:
idx_objectCategory:308:N


Analysis
---------------------------------
Hit Rate of 97.08% is Efficient

Indices used:

Index Name : idx_objectCategory
Record Count: 308 (estimate)
Index Type : Normal Attribute Index


Filter Breakdown:

(&
(objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=joe,DC=com)
(objectClass=user)
)

[Mon 08/23/2004 15:31:49.35]
C:\>


note that the second more specific filter actually returns less entries than the
first, this is because I have a couple of test contacts in my test AD.

joe