ActiveDirectory query performance for not including

Question

I'm curious as to whether the following will negatively impact performance in a significant way...

I have a web form with an input box and grid (could be any form of application really) and allows the user to search Active Directory for users...I don't want user accounts that have the $ as part of there sAMAccountName and so am wondering whether I should have them returned and then filter them out in a loop in the application or whether they should be excluded in the ActiveDirectory filter like the following:

(&(objectCateogry=person)(objectClass=user)(!(sAMAccountName=*$*))(cn=<Insert User Query>))

I guess it's the *$* that i'm concerned will impact performance...any insight would be greatly appreciated!

Answer 1

I would include (!(sAMAccountName=*$*)) in the query for the following reasons:

1. It is indexed in Active Directory so searches are quick.
2. In most environments domain controllers aren't hit as hard as web servers and have CPU and RAM to spare.

I'm just guessing but I would think that the extra entries that the domain controllers will have to process and send to the web server would actually make everything take a little longer. You could try it both ways in your environment and measure the difference.

Also, you could take a look at the classes in System.DirectoryServices.Protocols if you're concerned with performance.