2

I'm writing some code to work with Active Directory. This code includes functions to pull back a user given their account name, then get direct reports and get group memberships (these can be run recursively or non-recusively depending if the full hierarchy is required). I've seen a few answers on how this can be done. However all answers seem to rely on the Distinguished Name.

Is the Distinguished Name the foreign key (in database terms) used to relate these objects in active directory? My intuition suggests that the objectGuid would be the key used to relate items to one another as that will never change. As a result I'd assume performance would be better if I rewrote the queries to use objectGuid over DN.

  • is it possible to query for groups containing a user/group by objectGuid?
  • is it possible to query for the objectGuids of direct reports for a given manager (objectGuid).
  • do objectGuid queries outperform other attributes, or is DN, sAMAccountName, or one of the other key attributes the best key to use from a performance perpective?
  • are the above answers true of most(all?) LDAP implementations, or are they specific to MS AD?

Thanks in advance,

JB

ps. as with most of my questions, the performance difference is probably negligible; this is more for academic interest / satisfying my curiosity.

Improve this question

1 Answer 1

Reset to default
7

If an application stores or caches identifiers or references to objects stored in Active Directory Domain Services, the object GUID is the best identifier to use for several reasons:

  • The objectGUID property of on object never changes even if the object is renamed or moved.
  • It is easy to bind to the object using the object GUID.
  • If the object is renamed or moved, the objectGUID property provides a single identifier that can be used to quickly find and identify the object rather than having to compose a query that has conditions for all properties that would identify that object.

On the other hand an object's distinguished name changes if the object is renamed or moved, therefore the distinguished name is not a reliable object identifier.
So it is not about Performance, its about Relaibility that you should search the directory using objectGUID.

Coming to your next question:

Is it possible to query for groups containing a user/group by objectGuid?

Ofcourse Yes. Check this link.
Hope it helps !!

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.