Say I am querying Active Directory with Get-ADUser -Filter "ObjectClass -eq 'user' -and 'Name -like '*foo*'".
Does reversing the order of ObjectClass and Name change the order of the query passed to Active Directory and thus affect performance? According to this StackOverflow post, PowerShell converts the -Filter into an LDAP query before being passed to the server.
Assuming it does, in what order is the statement evaluated? Left to right, or something else?
Some high-level pointers:
It's fair to assume that evaluation is left to right (I have no source to back that up), but whether the translation of the PowerShell-like
-Filterexpression into an LDAP query behind the scenes even preserves that order is not obvious, judging by the juxtaposition of-Filterarguments and corresponding LDAP queries in theFilter Examplessection of the conceptual about_Active_Directory_Filter help topic: the subexpression order in the-Filterisn't consistently preserved there - though that could just be an inaccuracy in the documentation.Generally speaking, given that an
-andoperation is short-circuiting, you'll get better performance if you place the test that executes more quickly on the LHS:This ensures that the comparatively slower test needn't be executed if the quicker one is negative.
At least hypothetically, in the case at hand
ObjectClass -eq 'user'could be quicker, given that wildcard matching (-like) is more complex than equality comparison(
-eq).However, both
-eqand-liketranslate into the same operator on the LDAP side,=; see theSupported Operatorsin the linked help topic for details.Either way, it may not make much difference in practice in this case.
The linked help topic also has an
Optimizing Filterssection, excerpted here: