• State Not Answered
  • Replies 2 replies
  • Subscribers 66 subscribers
  • Views 3622 views
  • Users 0 members are here
Options
Related

Parsing attributes for dynamic groups

jraines

Hello :-)

I have a need for preferably a dynamic group that can parse an attribute and compare to a list of values.

Example -  ADUser  Title attribute - "F387-IT Operations Manager"    

I need to parse the value before the "-" for "F387", then look up that value in a list of up to 4500 values to see if there's a match.

If there is a match, then I want the AD user to be a member of the dynamic group.

How can I build this in a way is dynamic and yet performance doesn't take a hit?   For reference, I've got >40K ADUsers.   Doing "Get-ADUser -filter {...}"  takes 30+ seconds across all 40K users.

Regards,

Jon

   

Parents
  • 0

    Hello, Jon.

    This is an older thread, but thought that I might be able to offer some additional insight.

    CM is right on a couple of great points. An Active Roles dynamic group does indeed convert your query-based rules into LDAP queries. In your case, the query you describe could use the "begins with" operator, to search for any user whose jobTitle attribute contains "F387-". This would ultimately convert into the LDAP search:

    (title=F380-*)

    One of the reasons that I wanted to respond to your post is that you should not use the performance of the QAD cmdlets as an indicator of the performance of the dynamic group query. The QAD cmdlets add a significant amount of overhead in order to achieve ease-of-use. A better indicator would be to use the DirectorySearcher interface to search using the ADSI provider.

    Also, please don't ignore the capabilities of the Group Membership Provisioning Policies. They offer a lot of value for a lesser performance implication than dynamic groups, so definitely deserve a look.

Reply
  • 0

    Hello, Jon.

    This is an older thread, but thought that I might be able to offer some additional insight.

    CM is right on a couple of great points. An Active Roles dynamic group does indeed convert your query-based rules into LDAP queries. In your case, the query you describe could use the "begins with" operator, to search for any user whose jobTitle attribute contains "F387-". This would ultimately convert into the LDAP search:

    (title=F380-*)

    One of the reasons that I wanted to respond to your post is that you should not use the performance of the QAD cmdlets as an indicator of the performance of the dynamic group query. The QAD cmdlets add a significant amount of overhead in order to achieve ease-of-use. A better indicator would be to use the DirectorySearcher interface to search using the ADSI provider.

    Also, please don't ignore the capabilities of the Group Membership Provisioning Policies. They offer a lot of value for a lesser performance implication than dynamic groups, so definitely deserve a look.

Children
No Data