Huge difference in query time compared to other methods

Question

Huge difference in query time compared to other methods

zjorz opened this issue 4 years ago · comments

Jorge de Almeida Pinto | IAMTEC commented 4 years ago

QUERYING FOR OBJECTS:
"computer"
"inetOrgPerson"
"msDS-GroupManagedServiceAccount"
"user"
"group"
"container"
"organizationalUnit"
"domainDNS"
QUERYING FOR ATTRIBUTES:
"accountExpires"
"canonicalName"
"carLicense"
"cn"
"displayName"
"distinguishedName"
"lastLogonTimestamp"
"lockoutTime"
"mail"
"msDS-AllowedToActOnBehalfOfOtherIdentity"
"msDS-AllowedToDelegateTo"
"msDS-SupportedEncryptionTypes"
"msDS-UserPasswordExpiryTimeComputed"
"name"
"nTSecurityDescriptor"
"objectClass"
"ObjectGUID"
"pwdLastSet"
"sAMAccountName"
"servicePrincipalName"
"userAccountControl"
"UserPrincipalName"
"whenCreated"

Number of Objects: 100341

S.DS.P ==> Time Elapsed....: '49.2810517766667' Minutes
ADSI ==> Time Elapsed....: '1.46958625833333' Minutes
AD POSH==> Time Elapsed....: '4.44061052333333' Minutes
ADFIND ==> Time Elapsed....: '2.25115640833333' Minutes

I seriously do not understand why that S.DS.P posh module is so slow

If you need more info, feel free to ask

Jiri Formacek · Answer 1 · Fri Apr 24 2020 21:40:30 GMT+0800 (China Standard Time)

Hello,
did you run your test with -RangeSize:0 ?

Jiri

Jorge de Almeida Pinto | IAMTEC · Answer 2 · Fri Apr 24 2020 21:55:00 GMT+0800 (China Standard Time)

specified that option and it is way better now!

Time Elapsed....: '4.28738873333333' Minutes

still surprised that ADSI is faster and that it is near as fast as the ad posh cmdlets

Jorge de Almeida Pinto | IAMTEC · Answer 3 · Fri Apr 24 2020 21:57:56 GMT+0800 (China Standard Time)

something else:

do you know to convert the binary values of nTSecurityDescriptor and msDS-AllowedToActOnBehalfOfOtherIdentity to human readable values? I have been trying to figure that out but I'm failing miserably. Both are listed in PropertiesToLoad and BinaryProperties parameters

Jiri Formacek · Answer 4 · Fri Apr 24 2020 21:59:03 GMT+0800 (China Standard Time)

Well, ADSI is compiled code, that's most likely why.

In fact, performance is not a main criteria here - original purpose was to show how to operate LDAP directories from PowerShell, and kind of document some not-well-known knowledge (ranged property retrieval, 1.1 OID, etc.)

Jiri Formacek · Answer 5 · Fri Apr 24 2020 22:13:38 GMT+0800 (China Standard Time)

something else:

do you know to convert the binary values of nTSecurityDescriptor and msDS-AllowedToActOnBehalfOfOtherIdentity to human readable values? I have been trying to figure that out but I'm failing miserably. Both are listed in PropertiesToLoad and BinaryProperties parameters

Well, I just return byte array, and caller is responsible for converting. Each value has own semantics, so you're supposed to know how to convert to object you want to work with.
For example ntSecurityDescriptor:

#$obj=Find-LdapObject -PropertiesToLoad @('ntSecurityDescriptor') -BinaryProperties @('ntSecurityDescriptor') ....
$dacl = new-object System.DirectoryServices.ActiveDirectorySecurity
$dacl.SetSecurityDescriptorBinaryForm($obj.ntSecurityDescriptor)
#list ACEs
$dacl.Access

Jiri Formacek · Answer 6 · Fri Apr 24 2020 23:18:24 GMT+0800 (China Standard Time)

BTW I'm thinking about something like lambda that could be registered and would do conversion to desired object on the fly... still lambda would need to be developed by caller, but then code would use it automatically to transform raw values into desired form.

So maybe in some of next version...

I guess we can close this issue now....

Jorge de Almeida Pinto | IAMTEC · Answer 7 · Fri Apr 24 2020 23:57:17 GMT+0800 (China Standard Time)

Well, ADSI is compiled code, that's most likely why.

In fact, performance is not a main criteria here - original purpose was to show how to operate LDAP directories from PowerShell, and kind of document some not-well-known knowledge (ranged property retrieval, 1.1 OID, etc.)

the option "-RangeSize:0" seriously makes a difference! Thanks!!!!