Yesterday I was faced with a task of creating a script to search Active Directory. The goal was to look into the second level of the directory for a specific Organizational Unit. We were trying to locate a common OU that is a child of several top level OU’s and extract a usable list. To help visualize this I attempted to illustrate it with text:
Domain Root
|- ParentOU1
|- TargetOUa <— This one
|- ParentOU2
|- TargetOUa <— This one
|- TargetOUb
|- ParentOU3
|- TargetOUa <— This one
|- TargetOUb
My usual reaction would be to enumerate all of Parent OU’s by taking the following steps:
- Bind to the directory root
- Using a filter, bind to all of the Parent OU’s
- Using a filter, enumerate each child OU
- Check if the child OU contains the string that we are searching for (ex. TargetOU)
- Write out each matching OU (ex, TargetOUa, TargetOUb, TargetOUc)
As you can see there are several binds (1 + each Parent OU) to this process. Not really a big deal but each bind puts just a little more load onto the domain controllers. Then a thought came to me that I could use a regular expression to examine all OU’s. So I would perform the following steps:
- Bind to the directory root:
- Search for all Organizational-units
- Perform a regular expression to see if this matches our target OU string: ^ou=TargetOUa\,ou=\w+\,dc=.*
- Write out each matching OU’s distinguishedName
Now it seems that only one bind is performed and all of the OU’s are evaluated. Both processes achieve the same result, but is one better than the other? The second method evaluates all of your OU’s instead of first method which looks at just the top two OU’s.
I don’t really know if there is a difference, or if one is better than the other. I just prefer to limit the number of binds made to the domain controller and leverage regular expressions for string matching. Do you see a problem with doing it this way? If so let me know as I am always open to learning something new.
Sat, Nov 8, 2008
Technology