I saw this LDAP query three different times today, I am not sure why, but I think someone was telling me to write about it.
People use objectcategory=user probably because they are used to hearing use objectcategory, not objectclass because objectclass isn’t indexed.
That is correct, by default in Windows 2000 and Windows Server 2003 and ADAM objectclass is not indexed, it might change in the Longhorn timeframe. You can, if you choose to, index objectclass on your own. It works fine, I have been doing it for years. You may hear people saying OH MY LORD NO!!! You can’t index it because it is multivalued or because the values are unique or whatever else. Those were concerns from pre-gold Windows 2000 time frame, so we are talking about prior to Oct 2000 you needed to be concerned about it. Let the past stay in the past, index objectclass.
So it sounds like if you haven’t indexed objectclass, objectcategory=user is the next best thing huh? Well it would be, if it worked. Unfortunately objectcategory=user doesn’t make it through the AD Query engine, what happens is that AD changes that to objectcategory=CN=Person,CN=Schema,CN=Configuration,… because objectcategory takes a DN attribute but to help coders out and not have to look up the schema DN all of the time for queries allows the shortcut of using a short objectclass name. However, it looks up the objectclass and uses the defaultObjectCategory for the expansion.
You will note when looking at the schema that the defaultObjectCategory for user is what I mentioned above:
F:\DEV\cpp>adfind -sc s:user defaultObjectCategory
AdFind V01.27.00cpp Joe Richards (joe@joeware.net) November 2005
Using server: 2k3dc01.joe.com:389
Directory: Windows Server 2003
Base DN: CN=Schema,CN=Configuration,DC=joe,DC=com
dn:CN=User,CN=Schema,CN=Configuration,DC=joe,DC=com
>defaultObjectCategory: CN=Person,CN=Schema,CN=Configuration,DC=joe,DC=com
1 Objects returned
You can also see this in the STATS of a query if you want to peek…
[Thu 12/08/2005 19:13:38.32]
F:\DEV\cpp>adfind -default -f objectcategory=user -stats+only
AdFind V01.27.00cpp Joe Richards (joe@joeware.net) November 2005
Using server: 2k3dc01.joe.com:389
Directory: Windows Server 2003
Base DN: DC=joe,DC=com
Statistics
=================================
Elapsed Time: 170 (ms)
Returned 7139 entries of 7157 visited - (99.75%)
Used Filter:
(objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=joe,DC=com)
Used Indices:
idx_objectCategory:4394:N
Analysis
---------------------------------
Hit Rate of 99.75% is Efficient
Indices used:
Index Name : idx_objectCategory
Record Count: 4394 (estimate)
Index Type : Normal Attribute Index
Filter Breakdown:
(objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=joe,DC=com)
Now you may think, well heck that is fine for me… Same diff huh? Well no. A query of objectclass=user will return different objects than one of objectcategory=person… try it.
joe