Hey Everyone,
Just wondering if I am missing a parameter or maybe its just the way it is supposed to work.
I have the 2 below queries I am testing. One against the entire domain and one against a Managed Unit which should contain my true targets.
Searching the entire domain (50K users ) is a lot faster than targeting the Managed Unit (800 users)
$date = (Get-Date).AddDays(-31) $stopwatch1 = [system.diagnostics.stopwatch]::StartNew() $deproUsers1 = Get-QADUser -SizeLimit 0 -proxy -SearchRoot "DC=mydomain,DC=com" -DontUseDefaultIncludedProperties -ObjectAttributes @{edsvaACDeprovisionDate='*'} -IncludedProperties samaccountname,mail,employeeNumber,edsvaACDeprovisionDate,edsvaACLeaveDate,extensionAttribute2 -SerializeValues | Where-Object { [DateTime]$_.edsvaACDeprovisionDate -le $date } | Select-Object samaccountname,mail,employeeNumber,edsvaACDeprovisionDate,edsvaACLeaveDate $stopwatch1.Stop() $stopwatch2 = [system.diagnostics.stopwatch]::StartNew() $deproUsers2 = Get-QADUser -SizeLimit 0 -proxy -SearchRoot 'CN=DeprovisionedAccounts,CN=Users,CN=Hidden,CN=My Company,CN=Managed Units,CN=Configuration' -DontUseDefaultIncludedProperties -ObjectAttributes @{edsvaACDeprovisionDate='*'} -IncludedProperties samaccountname,mail,employeeNumber,edsvaACDeprovisionDate,edsvaACLeaveDate,extensionAttribute2 -SerializeValues | Where-Object { [DateTime]$_.edsvaACDeprovisionDate -le $date } | Select-Object samaccountname,mail,employeeNumber,edsvaACDeprovisionDate,edsvaACLeaveDate $stopwatch2.Stop() $stopwatch1.Elapsed.TotalSeconds $stopwatch2.Elapsed.TotalSeconds $deproUsers1.count $deproUsers2.count 6,7517274 19,1901357 52 52
I would of thought setting the searchroot to a Managed Unit would be exponentially quicker since it is already a subset of the entire managed domain
If this is expected behavior then it would only be useful for really complex Managed Unit rules where the same filtering cannot be performed on the command line.
Possibly AR causing a complete refresh on the MU before it pulls the data?
Thanks for any input
Clay