To accurately verify that a recipient is a member of a security group or of a distribution group, a program must make many queries to Active Directory. When the program makes these queries, it performs many operations on the domain controller that hosts Active Directory. These operations use resources and network bandwidth. Nested groups increase the number of queries. Therefore, more system resources and network resources are used when you query nested groups.
A program queries Active Directory whenever it must verify a parent and child relationship that includes the following queries, among other queries:
- Is a user a member of a group?
- To what groups does a user belong?
- Is a user in the reporting hierarchy of another user?
- What is the reporting hierarchy of a user?
- What is the reporting hierarchy of all users who are linked to a particular user?
Benefits of using the new functionality
After you apply the hotfix, programs that use its new functionality can use a single operation to resolve group memberships in Active Directory. Therefore, much less network bandwidth and fewer system resources are used on the server and the client computer. Also, because a Windows Server 2003 Active Directory server uses its internal indexes to process the query, the results are returned much more quickly.
The new operator
The definition of the new extended matching operator to perform a server-based search is
LDAP_MATCHING_RULE_IN_CHAIN. The object identifier (OID) for the operator is
1.2.840.113556.1.4.1941 in dotted notation.
You can use only the distinguished name (DN) of the object in the search filter. You cannot perform the search by specifying a user principal name (UPN), a unique identifier (UID), or any other alternative representation of the object.
The scope of the query is not limited. You can include only the base path or extend the search. You can search the whole subtree or only one level. However, queries on subtrees can use more resources. Also, a query that requires high fan-outs uses lots of resources. For example, the
List all the groups a user is a member of query uses lots of resources.
The extended match operator resembles bitwise OR and bitwise AND. The operator performs a hierarchical search until it reaches the root or the destination.
The new operator first performs a breadth search on the link table. The operator tries to establish a path from the base object to the distinguished name of the required object by using the specified link pair. If the operator finds the required object, the operator checks the intervening objects in the chain for read permissions. The operator returns the distinguished names of the matching objects when an object meets the filter conditions, and the appropriate permissions are available. The operator also returns hidden group memberships unless the appropriate permissions are not available.
If a given object is not found in the link path or if the user does not have permissions along the link chain, an LDAP search returns the
ERROR_SUCCESS result code together with an empty result set.
You can use the operator in the following way:
("(fwlink attribute name:OID:=DN)")
Examples
The following examples show how you can use the new query operator.
Important If any query performs a subtree search, and the scope contains many objects, the query times out and fails. Additionally, the queries in the last four examples use lots of resources. Therefore, use these queries with caution.
Example 1: Check whether a user is a member of a group
To check whether
User1 is a member of a group, you can use the following parameters in the query:
Base: user DN (cn=user1, cn=users, dc=domain)
Scope: base
Query: (memberof:OID:=GroupDN)
Returns: The distinguished name of the group if the user is a member of that group.
In this query,
GroupDN is the distinguished name of the group that you are checking for
User1's membership.
Example 2: Check all the groups to which a user belongs
To check all the groups to which a user belongs, you can use the following parameters in the query:
Base: groups container DN (OU=groupsOU, dc=domain)
Scope: subtree
Note A query to a depth of one level also works if all users are in one flat container.
Filter: (member:OID:=userDN)
Returns: The distinguished names of all groups to which the user belongs.
In this query,
userDN is the distinguished name for the user whose membership you want to query.
Note This query returns hidden group memberships.
Example 3: Check whether a user is in the reporting hierarchy of another user
Important This query uses lots of resources. Use it with caution.
To verify that
User1 is in the reporting hierarchy of
User2, you can use the following parameters in the query:
Base: user DN (cn=user1, cn=users, dc=domain)
Scope: base
Note You can use the subtree instead of the base.
Query: (manager:OID:=User2DN)
Returns: The distinguished name of User2 if User1 is in the link chain to User2. If you set the scope to a depth of one level, no results are returned.
In this query,
User2DN is the distinguished name of the user whose hierarchy you want to verify.
Example 4: Verify the reporting hierarchy under a user
To verify the users who report to
User1, you can use the following parameters in the query:
Base: users container or any container above it (cn=users, dc=domain)
Scope: subtree
Note A query to a one-level depth also works if all the users are in one flat container.
Query: (manager:OID:=User1DN)
Returns: The distinguished name of all the users who effectively report to User1.
In this query,
User1DN is the distinguished name of the user whose hierarchy you want to verify.
Example 5: Verify the complete reporting structure of a user
To verify who
User1 reports to, who
User1's manager reports to, and so on, you can use the following parameters in the query:
Base: users container DN (cn=users, dc=domain)
Scope: subtree
Note A query to a depth of one level also works if all users are in one flat container.
Query: (directReports:OID:=User1DN
Returns: The distinguished names of all the users who are in the chain of User1 to the root.
In this query,
User1DN is the user for whose reporting hierarchy you want the report.
Hotfix information
A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.
If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.
Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:
Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.
Hotfix installation information
Apply this hotfix to all domain controllers.
Prerequisites
To apply this hotfix, you must have Windows Server 2003 Service Pack 1 (SP1) installed.
Note The x64-based versions of Windows Server 2003 already include the fixes and features that are included in Windows Server 2003 SP1. If the computer is running an x64-based version of Windows Server 2003, you do not have to install SP1.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
889100
How to obtain the latest service pack for Windows Server 2003
Restart requirement
You do not have to restart the computer after you apply this hotfix.
Hotfix replacement information
This hotfix does not replace any other hotfixes.
File information
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the
Time Zone tab in the Date and Time item in Control Panel.
Windows Server 2003, 32-bit versions
| File name | File version | File size | Date | Time | Platform | SP requirement | Service branch |
|---|
| Ntdsa.dll | 5.2.3790.489 | 1,432,064 | 21-Feb-2006 | 06:03 | x86 | None | RTMQFE |
| Ntdsatq.dll | 5.2.3790.489 | 29,696 | 21-Feb-2006 | 06:03 | x86 | None | RTMQFE |
| Ntdsa.dll | 5.2.3790.2643 | 1,520,640 | 21-Feb-2006 | 06:14 | x86 | SP1 | SP1QFE |
Windows Server 2003, x64-based versions
| File name | File version | File size | Date | Time | Platform | SP requirement | Service branch |
|---|
| Ntdsa.dll | 5.2.3790.2643 | 2,964,992 | 20-Feb-2006 | 17:11 | x64 | SP1 | SP1QFE |
| Wntdsa.dll | 5.2.3790.2643 | 1,520,640 | 20-Feb-2006 | 17:11 | x86 | SP1 | WOW |
Windows Server 2003, Enterprise Edition for Itanium-based Systems
| File name | File version | File size | Date | Time | Platform | SP requirement | Service branch |
|---|
| Ntdsa.dll | 5.2.3790.489 | 4,068,352 | 20-Feb-2006 | 17:07 | IA-64 | None | RTMQFE |
| Ntdsatq.dll | 5.2.3790.489 | 82,432 | 20-Feb-2006 | 17:07 | IA-64 | None | RTMQFE |
| Ntdsa.dll | 5.2.3790.2643 | 4,252,160 | 20-Feb-2006 | 17:11 | IA-64 | SP1 | SP1QFE |
| Wntdsa.dll | 5.2.3790.2643 | 1,520,640 | 20-Feb-2006 | 17:11 | x86 | SP1 | WOW |
For more information about the terms that are used to describe software updates, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates