ANR search - modifying filter that runs behind it

Stephan Steiner 1 Reputation point
2020-10-06T07:35:34.153+00:00

I'm using ANR search on Active Directory & AD LDS and I'm having a problem finding certain data.

If I plug one value into the search, all is well. As soon as there's two values, things go awry. Say I want to search for everybody who'se name is "steiner" in "zurich". Say "zurich" is in the "office" field (physicalDeliveryOffice), steiner in "sn".

If I search for "zurich", I get all people who have physicalDeliverOffice=zurich, so that's fine. If I search for "steiner", I get the expected results, tool

But if I search for "steiner zurich", I no longer find the records I'm looking for. According to the ANR documentation, my search is transformed into (|(&(x=steiner zurich")(sn=steiner*)(givenName=zurich))(&(x=steiner zurich)(givenName=steiner)(sn=zurich))

So, if a string contains a space, the string is split and the first and second part are always checked against sn/givenName. So it's no surprise the search no longer yields any results. But, that kind of search is pretty simple still.. is there any way to tell anr to check every string token against all ANR attributes?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,433 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Daisy Zhou 22,476 Reputation points Microsoft Vendor
    2020-10-16T04:24:18.547+00:00

    Hello @Stephan Steiner ,

    Thank you for posting here.

    Based on my test, I got the same result as you.

    I created a new user as below.
    32719-att1.png

    When I search via Display Name or physicalDeliveryOfficeName, I can search the result.
    32668-att2.png

    ANR is a search algorithm in Active Directory that permits a client to search multiple naming-related attributes on objects via a single clause in a search filter.

    3.1.1.3.1.3.4 Ambiguous Name Resolution
    https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/1a9177f4-0272-4ab8-aa22-3c3eafd39e4b

    Ambiguous Name Resolution, or ANR, allows you to search multiple object attributes for a match while only using one search field.

    Search multiple Active Directory attributes from one search field
    https://webactivedirectory.com/2009/12/30/search-multiple-active-directory-attributes-from-one-search-field/

    Hope the information above is helpful.

    Best Regards,
    Daisy Zhou


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.