Active Directory search is your friend

After a discussion today with one of our Level 2 guys about administering AD users and groups I was inspired to post as I wonder how most people manage a large AD.

One of our environments has OU’s that contain thousands of objects. We try to keep a flat structure for simplicity and group objects by type. We are implementing ActiveRoles into this environment and one of the behaviors it exhibits (version 6.5 with Exchange Resource Forest Manager) is that it is slow to display a large number of objects when you expand an OU. My question is, when you reach a certain number of objects, even though this behavior is exhibited, why does it matter? Surely no one is going to scroll down a list of of 50,000 objects looking for a single one? For environments like this, search is your friend.

If you’re doing anything to an object in AD chances are you know exactly what object it is, if not, you at least know part of it i.e. A name, attribute value, partial value, etc. Its far easier to search than to expand a huge long list and hunt through it. If you are expanding a list of objects and even just hitting ‘m’ to take you to the names starting with ‘m’ that’s still performing a search! Just in a different way. You then lose time trying to see the wood for the trees anyway.

My advice is, whatever tool you are using whether it be native AD tools, ActiveRoles, AD management gateways, whatever, learn the search options and what works best for you and use it. Even when a tool displays the entire contents of an OU quickly, I guarantee you still won’t be working as fast as an admin who uses the search options to their full potential.

