Forum Discussion

Imadnazim's avatar
Imadnazim
Copper Contributor
May 21, 2024
Solved

How to fetch / filter users from AD faster using Get-ADUser command.

Recently I saw few scripts which are fetching users from AD like below mentioned.   Get-ADUser -LDAPFilter "(whenCreated>=$date)" or Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpire...
Active Directory (AD)
get-aduser
  • LainRobertson's avatar
    LainRobertson
    May 22, 2024

    Imadnazim 

     

    The short answer to your question is "it depends".

     

    Here's the longer answer.

     

    There's three points to consider:

     

    1. How Get-ADUser is authored;
    2. Whether the Active Directory attributes being filtered are indexed;
    3. Whether the filter specified in Get-ADUser is optimised.

     

    I can't speak to the first point authoritatively as I've never:

     

    1. Tried to find the source code; or
    2. Run an unencrypted network trace to see what queries are actually being issued from the commandlet.

     

    If it's performing client-side filtering at all then that could be one reason it's slow. But I don't actually expect this would be the case.

     

    For point two, if an attribute specified in the -Filter statement is not marked for indexing in the Active Directory schema, you may experience poor query performance, since it's possible (if there's no other indexed criteria present in the filter) the entire directory service has to be read.

     

    It's the responsibility of the person writing the PowerShell script to ensure they're constructing performant queries.

     

    Point three is similar to point two, insofar as it's the responsibility of the person writing the PowerShell script to issue optimised queries, though with a twist as this is not about an attribute being indexed or not, but more the inappropriate use of wildcards (when searching on partial string matches).

     

    When using a wildcard for a partial match, this pattern of using a known prefix tailed with the wildcard is efficient:

     

    "mystring*"

     

    While this is exceptionally inefficient (by default, as it it possible to enable tuple indexing in Active Directory):

     

    "*mystring*"

     

    In summary, while it remains possible that Get-ADUser has been written with some flaws in it, I doubt that is likely.

     

    You could test/verify this for yourself through utilising the LDAPFilter parameter but I'd be surprised if produces any difference in performance (noting that when you run the same query twice, it's typically going to be faster the second time, so you'd want to automate the testing to produce a trustworthy average and discard the first iteration).

     

    My expectation though is that it's far more likely the script author is using non-indexed attribute references and/or has not optimised their LDAP filter, in which case there will be no difference in performance between the Filter and LDAPFilter parameters.

     

    Cheers,

    Lain

Resources