Reputation: 24480
Active Directory Query Performance in C#
I'm writing some code to work with Active Directory. This code includes functions to pull back a user given their account name, then get direct reports and get group memberships (these can be run recursively or non-recusively depending if the full hierarchy is required). I've seen a few answers on how this can be done. However all answers seem to rely on the Distinguished Name.
Is the Distinguished Name the foreign key (in database terms) used to relate these objects in active directory? My intuition suggests that the objectGuid would be the key used to relate items to one another as that will never change. As a result I'd assume performance would be better if I rewrote the queries to use objectGuid over DN.
- is it possible to query for groups containing a user/group by objectGuid?
- is it possible to query for the objectGuids of direct reports for a given manager (objectGuid).
- do objectGuid queries outperform other attributes, or is DN, sAMAccountName, or one of the other key attributes the best key to use from a performance perpective?
- are the above answers true of most(all?) LDAP implementations, or are they specific to MS AD?
Thanks in advance,
JB
ps. as with most of my questions, the performance difference is probably negligible; this is more for academic interest / satisfying my curiosity.
Upvotes: 2
Views: 1716
Answers (1)
Reputation: 3177
If an application stores or caches identifiers or references to objects stored in Active Directory Domain Services, the object GUID is the best identifier to use for several reasons:
- The objectGUID property of on object never changes even if the object is renamed or moved.
- It is easy to bind to the object using the object GUID.
- If the object is renamed or moved, the objectGUID property provides a single identifier that can be used to quickly find and identify the object rather than having to compose a query that has conditions for all properties that would identify that object.
On the other hand an object's distinguished name changes if the object is renamed or moved, therefore the distinguished name is not a reliable object identifier.
So it is not about Performance, its about Relaibility that you should search the directory using objectGUID.
Coming to your next question:
Is it possible to query for groups containing a user/group by objectGuid?
Ofcourse Yes. Check this link.
Hope it helps !!
Upvotes: 7
Related Questions
- AD Query Performance When All AD Members Perform Queries
- C# Active Directory calls very slow
- C# Active Directory Browsing best practices
- Active directory query with wildcards has poor performance
- PowerShell AD query vs C# AD Query - Speed
- ActiveDirectory: Query Performance
- Query Active Directory Fast
- C# LDAP performance
- ActiveDirectory performance with query on large database
- getting user details from AD is slow