You want to modify the attributes that are included as part of ANR.
|
In order to proceed, you must have first indexed the attribute.
Open the Active Directory Schema snap-in.
In the left pane, click on the Attributes folder.
In the right pane, double-click the attribute you want to edit.
Check the box beside ANR.
Click OK.
You can include an attribute as part of ANR by using the ldifde utility and an LDIF file that contains the following:
dn: cn=rallencorp-LanguagesSpoken,cn=schema,cn=configuration,<ForestRootDN> changetype: modify replace: searchFlags searchFlags: 5 -
If the LDIF file were named add_anr_attr.ldf, you would run the following command:
> ldifde -v -i -f add_anr_attr.ldf
' This code will make an attribute part of the ANR set. ' ------ SCRIPT CONFIGURATION ------ ' Set to the common name (not LDAP display dame) of the attribute strAttrName = "<AttrCommonName>" ' e.g. rallencorp-LanguagesSpoken ' ------ END CONFIGURATION --------- set objRootDSE = GetObject("LDAP://RootDSE") set objAttr = GetObject("LDAP://cn=" & strAttrName & "," & _ objRootDSE.Get("schemaNamingContext")) objAttr.Put "searchFlags", 5 objAttr.SetInfo WScript.Echo "New ANR attribute: " & strAttrName
|
ANR is an efficient search algorithm that allows for a complex search filter to be written using a single comparison. For example, a search for (anr=Jim Smith) would translate into the following query:
An OR filter with every attribute in the ANR set against Jim Smith*
A filter for givenName = Jim* and sn = Smith*
A filter for givenName = Smith* and sn = Jim*
These filters are ORed together and then processed by Active Directory. Since all default ANR attributes are also indexed, the query return should come back quickly.
Here is a list of the default attributes that are included as part of ANR searches. The LDAP display name of the attribute is shown first with the common name in parenthesis.
displayName (Display-Name)
givenName (Given-Name)
legacyExchangeDN (Legacy-Exchange-DN)
msDS-AdditionalSamAccountName (ms-DS-Additional-Sam-Account-Name)
physicalDeliveryOfficeName (Physical-Delivery-Office-Name)
name (RDN)
sAMAccountName (SAM-Account-Name)
sn (Surname)
|
It is important to make sure that any new ANR attributes are also indexed. ANR searches are intended to be very fast, and if a non-indexed attribute was added to the set, it could dramatically impact the performance of the searches.
You can find which attributes are included in the ANR set by using the following search criteria:
cn=Schema,cn=Configuration,<ForestRootDN>
(&(objectcategory=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=4))
onelevel
Alternatively, to find attributes that aren't included in ANR, change the previous search filter to the following:
(&(objectcategory=attributeSchema)(!(searchFlags:1.2.840.113556.1.4.803:=4)))
Recipe 4.12 for modifying a bit-flag attribute, Recipe 10.7 for adding a new attribute, MS KB 243299 (Ambiguous Name Resolution for LDAP in Windows 2000), and MS KB 243311 (Setting an Attribute's searchFlags Property to Be Indexed for ANR)