• State Verified Answer
  • Replies 18 replies
  • Answers 1 answer
  • Subscribers 62 subscribers
  • Views 7403 views
  • Users 0 members are here
Options
Related

Is it possible to apply a VA value to multiple users in one pass?

dyannic
over 2 years ago

I have a few thousand users to apply a VA value to - in order for a DynamicGroup to pull them in as members.

Other than my normal practice, of looping through the list - is there an array way to feed set-qaduser an attributeValue append that would take the 3K and do it at once, rather that through loop?

AD has a way with 'group' membership - and exchange has a way with Update-DistributionGroupMember  - using a list of users "," - or ";" separated, and making that one-call, that's-all ...

can ARS do this too?  say yes. and show me how.

  • 0 over 2 years ago

    So - maybe nothing in the box ...

    maybe out of the box?

    My working assumption in this task - is,
    that the VA value lives completely inside ARS config. 
    And ARS config is stored in SQL.
    SQL has tables that can be updated.


    can, a SQL query be structured to update a table that contains the VA's tied to an AD user object

    - and push the VA via SQL command in one pass.
    and on ARS restart, the aradminsvc will associate the VA values with the live user.

  • 0 over 2 years ago in reply to dyannic

    You definitely don't want to get into doing an manipulations of the AR SQL tables as this would put you off-side from a Support perspective.

    I was going to suggest a programmatic trigger of a policy check.

    So initially, you set a provisioning policy PVG rule that says that myVA "MUST BE" value "X"  and then programmatically trigger AR to check objects for compliance with this policy and correct those that are not.

  • 0 over 2 years ago in reply to JohnnyQuest

    I think a lot of smart things in my head that don't sound very smart coming out of my mouth.

    That's in life - not just in work  ; )

    Interesting line of thought - I'll turn the rabbits lose to roam the permutations of that trail ...

    also considering adding an 'include member of' rule and just having a shadow group flood the DG with initial population - so users can work while we plot out a better approach.

    the issue for us is, we have tens-of-thousands of users in about 10 different collections of input files provided by a customer.   
    They want a manual process converted to automated, and ARS raises it's hand.  ME ... MEEEEE.


    We run a PS> script to read the input file, and for .... each ....... user ..... zzzzzz <do this VA thing>
    VA takes seconds to apply for the first hundred,  then 10s of seconds, then minutes each - 
    so - I build in a progressive stopwatch() sleep timer, grows and shrinks based on how long the prior update took to run - floating between 5, and up to 30 seconds between the next VA update.   If we don't do this - we end up seeing end-user web impact <slowness> and SQL CPU sustaining 100% ...
    it takes a while to get there, from 30s to 40's % utilization .. and takes 15 to 20  minutes to trail off once we stop the script.  



    We have good memory availability, and disk speed / latency is nominal - and CPU's ... which should be enough to do the job (16 core @  2.4Ghz). 

    Still we see ARS drag -on mass VA updates.

  • 0 over 2 years ago in reply to dyannic

    This might be your real issue:

    Title: Performance issues affecting multiple Active Roles clients which is specifically tied to Active Roles Virtual Attributes
    Solution: 333120
    URL: https://support.oneidentity.com/kb/333120 

  • 0 over 2 years ago in reply to dyannic

    Am curious, how exactly are you writing to the VAs?

    Are you using the Quest PoSh cmdlets or ADSI-style calls?

  • 0 over 2 years ago in reply to JohnnyQuest

    I do as much up front external to ARS - so I am doing an adsi search for the AD user object to be updated

    $strRoleType = 'IMASPECIALROLE'
    $objUser = ([adsisearcher]::new([ADSI]"LDAP://$strContainerDN","(&(objectcategory=person)(objectclass=user)(name=$username))",('name','canonicalname','dn','memberof'),"subtree")).findone()

    I validate the user isn't sitting in an off-limits subOU of the parent search path, and is not yet a member of the dynamic group - among other pre-checks.

    - If the user is still a target of the VA change - I then run the following QAD command

    Set-QADUser -Identity $objUser.properties.canonicalname[0] -ObjectAttributes @{'edsvaRoleBean'=@{Append=@("$strRoleType")}} -connection $ARSession  | out-null

  • 0 over 2 years ago in reply to Terrance.Crombie

    Hmmm .. <peeks over glasses>  that is worth a real shot, Terrance.  

  • 0 over 2 years ago in reply to dyannic

    Try this instead of your Set-QADUser

    $ADObj = [ADSI]("EDMS://" + $objUser.distinguishedname)

    # 2 indicates append

    $ADObj.putex(2,”'edsvaRoleBean'”,@(“$strRoleType″))

    $ADObj.setinfo()

  • 0 over 2 years ago in reply to JohnnyQuest

    Encountered an error with the putex as written.

    $ADObj.putex(2,"'edsvaRoleBean'",@("$strRoleType")) 

    I removed the double quotes - and left the singles on the rolebean - ran without error, but replaced the existing roles under that VA name with just the one.
    whoops.  I can roll that back - but, here's the error that was returned as written above -
    $ADObj.putex(2,"'edsvaRoleBean'",@("$strRoleType"))
    Exception calling "putex" with "3" argument(s): "The directory datatype cannot be converted to/from a native DS datatype

  • 0 over 2 years ago in reply to dyannic

    $ADObj.putex(2,'edsvaRoleBean',@($strRoleType))