• State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 96 subscribers
  • Views 4017 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sync Editor v7.1.1: AD Scope - System Filter

michael.sheard
over 7 years ago

In the scope of my AD Connector there are 10,000+ groups, of which only approximately 50 are to be managed. This has led me to define a system filter for group objects, but for some reason I have been unable to get the filter to work.

I have tried defining the filter in a few different ways (first is my preference):

  1. (|(cn=*endswith)(ou:dn:=someOU))
  2. (|(cn=*endswith)(cn=someGroup)(cn=anotherGroup))
  3. (|(cn=Group1)(cn=Group2)(cn=Group3)...)

Also tried (cn=someGroup) to simply test.

When I define an Object Filter it works fine using a where clause, but this is not preferable as that means bringing in 10,000+ groups to only utilise 50.

 

Is there something I'm missing here? Has anyone else run into this issue?

  • +1 over 7 years ago

    Active Directory does not support the ou:dn:= search addtions syntax.

    See my post https://www.quest.com/community/products/one-identity/f/identity-manager/22965/ad-sync-project-a-scope-that-excludes-an-ou-takes-much-longer-to-query-contacts-than-any-other-object-type/61865#61865 here.

    In regards to the scope filter not working, try to contact support if there is a hotfix available for 7.1.1.

  • +1 over 7 years ago

    Markus is right. I ran into similar issues and was running out of ideas, but he pointed me toward using msDS-parentdistname instead of the syntax that doesn't work.

    If your AD is 2012 functional level or higher, then try adding a filtered schema class based on group (called groups(managed)for example). For example, if your managed groups exist in two OUs only, the filtered schema properties might look something like this:

    System filter:

    (|(msDS-parentdistname=OU=someOU,DC=company,DC=com)(msDS-parentdistname=OU=anotherOU,DC=company,DC=com))

    Object filter:

    ((msDS_parentdistname='OU=someOU,DC=company,DC=com') OR (msDS_parentdistname='OU=anotherOU,DC=company,DC=com'))

    You can test the efficiency of this option without committing anything, if you configure the filtered schema class and then go straight into the target system browser. Expand the groups section in the treeview, and you'll now see both schema classes - click on each one in turn and you can see how many objects it returns and how long it takes to process them.

    If it's working exactly the way you want, to use the new schema you edit the Mapping for group, so that instead of it using groups(all) schema class on the target side, it uses groups(managed) instead.

    Cheers