Microsoft KB Archive/914828

= A hotfix is available that improves the performance of programs that query Active Directory for group memberships in Windows Server 2003 =

Article ID: 914828

Article Last Modified on 10/11/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition
 * Microsoft Windows Server 2003, Standard x64 Edition
 * Microsoft Windows Server 2003, Enterprise x64 Edition
 * Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems

-



INTRODUCTION
A hotfix is available that improves the performance of programs that query the Active Directory directory service for group memberships in Microsoft Windows Server 2003. This hotfix reduces the load on the system resources of the server and of the client computer. This hotfix also reduces the network bandwidth that is used.



MORE INFORMATION
To accurately verify that a recipient is a member of a security group or of a distribution group, a program must make many queries to Active Directory. When the program makes these queries, it performs many operations on the domain controller that hosts Active Directory. These operations use resources and network bandwidth. Nested groups increase the number of queries. Therefore, more system resources and network resources are used when you query nested groups.

A program queries Active Directory whenever it must verify a parent and child relationship that includes the following queries, among other queries:
 * Is a user a member of a group?
 * To what groups does a user belong?
 * Is a user in the reporting hierarchy of another user?
 * What is the reporting hierarchy of a user?
 * What is the reporting hierarchy of all users who are linked to a particular user?

Benefits of using the new functionality
After you apply the hotfix, programs that use its new functionality can use a single operation to resolve group memberships in Active Directory. Therefore, much less network bandwidth and fewer system resources are used on the server and the client computer. Also, because a Windows Server 2003 Active Directory server uses its internal indexes to process the query, the results are returned much more quickly.

The new operator
The definition of the new extended matching operator to perform a server-based search is LDAP_MATCHING_RULE_IN_CHAIN. The object identifier (OID) for the operator is 1.2.840.113556.1.4.1941 in dotted notation.

You can use only the distinguished name (DN) of the object in the search filter. You cannot perform the search by specifying a user principal name (UPN), a unique identifier (UID), or any other alternative representation of the object.

The scope of the query is not limited. You can include only the base path or extend the search. You can search the whole subtree or only one level. However, queries on subtrees can use more resources. Also, a query that requires high fan-outs uses lots of resources. For example, the List all the groups a user is a member of query uses lots of resources.

The extended match operator resembles bitwise OR and bitwise AND. The operator performs a hierarchical search until it reaches the root or the destination.

The new operator first performs a breadth search on the link table. The operator tries to establish a path from the base object to the distinguished name of the required object by using the specified link pair. If the operator finds the required object, the operator checks the intervening objects in the chain for read permissions. The operator returns the distinguished names of the matching objects when an object meets the filter conditions, and the appropriate permissions are available. The operator also returns hidden group memberships unless the appropriate permissions are not available.

If a given object is not found in the link path or if the user does not have permissions along the link chain, an LDAP search returns the ERROR_SUCCESS result code together with an empty result set.

You can use the operator in the following way:

(&quot;( : := )&quot;)

Examples
The following examples show how you can use the new query operator.

Important If any query performs a subtree search, and the scope contains many objects, the query times out and fails. Additionally, the queries in the last four examples use lots of resources. Therefore, use these queries with caution.

Example 1: Check whether a user is a member of a group
To check whether  is a member of a group, you can use the following parameters in the query:

Base:  (cn=, cn=users, dc= )

Scope: base Query: (memberof: := )

Returns: The distinguished name of the group if the user is a member of that group.

In this query,  is the distinguished name of the group that you are checking for  's membership.

Example 2: Check all the groups to which a user belongs
To check all the groups to which a user belongs, you can use the following parameters in the query:

Base:  (OU=, dc= )

Scope: subtree

Note A query to a depth of one level also works if all users are in one flat container.

Filter: (member: := )

Returns: The distinguished names of all groups to which the user belongs.

In this query,  is the distinguished name for the user whose membership you want to query.

Note This query returns hidden group memberships.

Example 3: Check whether a user is in the reporting hierarchy of another user
Important This query uses lots of resources. Use it with caution.

To verify that  is in the reporting hierarchy of , you can use the following parameters in the query:

Base:  (cn=, cn=users, dc= )

Scope: base

Note You can use the subtree instead of the base.

Query: (manager: := )

Returns: The distinguished name of  if   is in the link chain to. If you set the scope to a depth of one level, no results are returned.

In this query,  is the distinguished name of the user whose hierarchy you want to verify.

Example 4: Verify the reporting hierarchy under a user
To verify the users who report to, you can use the following parameters in the query:

Base: users container or any container above it (cn=users, dc= )

Scope: subtree

Note A query to a one-level depth also works if all the users are in one flat container.

Query: (manager: := )

Returns: The distinguished name of all the users who effectively report to.

In this query,  is the distinguished name of the user whose hierarchy you want to verify.

Example 5: Verify the complete reporting structure of a user
To verify who  reports to, who  's manager reports to, and so on, you can use the following parameters in the query:

Base: users container DN (cn=users, dc= )

Scope: subtree

Note A query to a depth of one level also works if all users are in one flat container.

Query: (directReports: :=

Returns: The distinguished names of all the users who are in the chain of  to the root.

In this query,  is the user for whose reporting hierarchy you want the report.

Hotfix information
A supported hotfix is now available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next service pack that contains this hotfix.

To resolve this problem, submit a request to Microsoft Online Customer Services to obtain the hotfix. To submit an online request to obtain the hotfix, visit the following Microsoft Web site:

http://go.microsoft.com/?linkid=6294451

Note If additional issues occur or any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. To create a separate service request, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

Hotfix installation information
Apply this hotfix to all domain controllers.

Prerequisites
To apply this hotfix, you must have Windows Server 2003 Service Pack 1 (SP1) installed.

Note The x64-based versions of Windows Server 2003 already include the fixes and features that are included in Windows Server 2003 SP1. If the computer is running an x64-based version of Windows Server 2003, you do not have to install SP1.

For more information, click the following article number to view the article in the Microsoft Knowledge Base:

889100 How to obtain the latest service pack for Windows Server 2003

Restart requirement
You do not have to restart the computer after you apply this hotfix.

Hotfix replacement information
This hotfix does not replace any other hotfixes.

File information
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

Windows Server 2003, Enterprise Edition for Itanium-based Systems
For more information about the terms that are used to describe software updates, click the following article number to view the article in the Microsoft Knowledge Base:

824684 Description of the standard terminology that is used to describe Microsoft software updates

Keywords: kbinfo kbqfe kbactivedirectory kbldap kbquery kbexpertiseadvanced kbhotfixserver kbwinserv2003presp2fix KB914828

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.