Incomplete Collection of AD Groups in RSA Identity Governance & Lifecycle

2 years ago

Originally Published: 2018-01-17

Article Number

000041408

Applies To

RSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.0.1, 7.0.2

Issue

An attempt is made to collect around 17K groups starting at the root domain. For example:

Group Base DN:   DC=CompanyXYZ, DC=com

The search criteria is

(&(objectCategory=Group)(objectClass=group))

The Test button for Group Data in the collector edit screen may indicate that the first 1000 is found.

The Test button may on occasion show a timeout which is not recorded in the aveksaServer.log

Upon collection, only a handful of AD administrative groups show up in the raw data for the collection.

Cause

Due to the search starting at the top of the domain, we query the root referrals of DNSZones, Configuration, and Schema.

Because of the referral, you will end up in other parts of the tree for which the account you are using has no access rights, hence you collect less or even nothing.

Resolution

In the collector definition, please make sure that you check the Ignore Referrals box.

This will allow the Collector to find and pull in all groups in the domain.

We also suggest that you use a more targeted entry point in the tree, so that ACM collections do not search unnecessarily large areas.

Don't see what you're looking for?

Potential Impact from Salesforce Device Activation Change

Related Articles

Trending Articles