• State Verified Answer
  • Replies 2 replies
  • Subscribers 62 subscribers
  • Views 1374 views
  • Users 0 members are here
Options
Related

Virtual Attribute update from ARS Sync or Set-QADUSer

lrigs
over 1 year ago

Hello,

I have a new virtual attribute that I need populated for 34k users. Can you tell me the quickest way to accomplish this?

I've tried via Active Roles Sync from a SQL Table and also took the data from the table and used "Set-QADUser -Proxy -Connect"  from a input file and both take a long time.

If we could populate it in the SQL Table it maybe faster because we do store the virtual attribute in the ARS DB, although I don't know if possible.

Please let me know if anyone has any suggestions and I appreciate any advice.

Thank you,

Lu

  • +1 over 1 year ago

    Hi Lu

    The easiest option would be to use the Active Roles Synchronization Service. The value(s) you want to set from SQL or CSV, can be easily synchronized to each associated users Virtual Attribute. So your source data would need to have some field/column that holds for example the UPN or samAccountName for each user (or object) you want to update (for the matching rule).

    Yes it may take a while to run, but after you've tested with <x> account (where X is an appropriate number for your environment), you can leave it to update (out of hours)

    If that is not possible to use the Synchronization Service, then you have three (or more) methods available to you

    1) Write a PowerShell script, which calls the "Set-QADUser" commandlet as you've tried above. Similar to Sync Service it may take a while, as you are making 34k request to your Administration Service (with all the associated history data being written).

    2) Use the above code (option 1) in as script block, and using jobs, execute an instance of the code (parsing the current runs variables) for each object. This is possible, but writting the code to handle the executiong of <x> instances of your code block, plus returning the result from the job is fairly complex, and for a one-off task may be overkill

    3) IF you have PowerShell 7.2 available (or you can install it), Then you have an option 2, without the need to write job handling. Y

    As the simplest example of what I mean, the below first gets a list of service (but this could be an import-csv, or a method to return a recordset from a SQL table)

    It then pipes the "recordset" (Variable) into the ForEach-Object cmdlet (ForEach-Object (Microsoft.PowerShell.Core) - PowerShell | Microsoft Docs), setting the parallel's paramter, and parsing the script block, in my case I've just provided a "Write-Host" of the current services name, then finally included a throttle limit, so it only runs <x> (or in my case 2) parallel tasks at a time

    $Services = Get-Service

$Services | ForEach-Object -Parallel {
Write-Host $($_.name)
} -ThrottleLimit 2

    Or the below is an example for the MS webpage linked above, the first is with a throttle limit of 5 and 1. Please note that not all use cases benefit from running multiple actions at the same time.

    4) Instead of using the ARS Commandlet, instead use the ADSI Provider, something like:

    $Object = [ADSI]"EDMS://<objectDN"
$Object.Put('myVA',"My value")
$Object.SetInfo()

    There are some example at the bottom of this KB Using Active Roles Controls (331501) (oneidentity.com)

    I personally would not recommend that you attempt to enter the data directly into the Active Roles database yourself, the supported methods would be via the SPML Provider, Web Interface, Console (MMC), PowerShell Commandlet or ADSI Provider 

    Hope this helps

    Stu

  • 0 over 1 year ago in reply to Stu.Pollock

    Thanks Stu!

    I'm going with the Active Roles sync it run a bit faster than a script.

    As you mention i will just have to run it and leave it overnight. I did try this initially and was pointing to an ARS server that is handling a lot of dynamic groups / scheduled scripts and group families so it was pegging the CPU. I realized I had another ARS server that is only hosting the webportal so it can handle this and not interrupt as much.

    Thanks for the advice.

    Lu