Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Updating AD group membership
594 views
Skip to first unread message
Frederick Lee
Feb 9, 2012, 6:28:41 AM2/9/12
to
Hello,
We've got some AD groups which have ~5k entries in them, and I am
looking for the most efficient way to perform membership updates on
them in TDI 6.1.1.
One issue with AD groups with 5k members is that you do not get the
full list of group members, only 1500 at a time (Win2k3 forest). So
having a look into the TDI API, I spotted a few functions such as
addAttributeValue, replaceAttributeValue and removeAttributeValue.
So I created a test AL with one passive LDAP connector in update mode,
and a script. The script contains the following lines:
try {
task.logmsg("Attempting group add");
tstGroupUpdate.connector.addAttributeValue("cn=myGroup,ou=groups,dc=ad,dc=com",
"member",
"cn=tester1,ou=users,dc=ad,dc=com"
);
task.logmsg("Group add successful");
} catch (e) {
task.logmsg("Group add failed");
task.logmsg(e);
}
I got a failed message with error:
javax.naming.OperationNotSupportedException: [LDAP: error code 53 -
0000054F: SvcErr: DSID-031A120C, problem 5003 (WILL_NOT_PERFORM), data
0
Is there something else required to use this function? Otherwise, if
anyone could suggest another way to update AD group membership without
resorting to pulling all 5k entries for a compare, would be most
appreciated.
Thank you.
We've got some AD groups which have ~5k entries in them, and I am
looking for the most efficient way to perform membership updates on
them in TDI 6.1.1.
One issue with AD groups with 5k members is that you do not get the
full list of group members, only 1500 at a time (Win2k3 forest). So
having a look into the TDI API, I spotted a few functions such as
addAttributeValue, replaceAttributeValue and removeAttributeValue.
So I created a test AL with one passive LDAP connector in update mode,
and a script. The script contains the following lines:
try {
task.logmsg("Attempting group add");
tstGroupUpdate.connector.addAttributeValue("cn=myGroup,ou=groups,dc=ad,dc=com",
"member",
"cn=tester1,ou=users,dc=ad,dc=com"
);
task.logmsg("Group add successful");
} catch (e) {
task.logmsg("Group add failed");
task.logmsg(e);
}
I got a failed message with error:
javax.naming.OperationNotSupportedException: [LDAP: error code 53 -
0000054F: SvcErr: DSID-031A120C, problem 5003 (WILL_NOT_PERFORM), data
0
Is there something else required to use this function? Otherwise, if
anyone could suggest another way to update AD group membership without
resorting to pulling all 5k entries for a compare, would be most
appreciated.
Thank you.
Eddie Hartman
Feb 9, 2012, 7:27:04 AM2/9/12
to
On Feb 9, 12:28 pm, Frederick Lee <frederick.l...@gmail.com> wrote:
> Hello,
>
> We've got some AD groups which have ~5k entries in them, and I am
> looking for the most efficient way to perform membership updates on
> them in TDI 6.1.1.
>
> One issue with AD groups with 5k members is that you do not get the
> full list of group members, only 1500 at a time (Win2k3 forest). So
> having a look into the TDI API, I spotted a few functions such as
> addAttributeValue, replaceAttributeValue and removeAttributeValue.
>
> So I created a test AL with one passive LDAP connector in update mode,
> and a script. The script contains the following lines:
>
> try {
> task.logmsg("Attempting group add");
>
> tstGroupUpdate.connector.addAttributeValue("cn=myGroup,ou=groups,dc=ad,dc=c om",
> Hello,
>
> We've got some AD groups which have ~5k entries in them, and I am
> looking for the most efficient way to perform membership updates on
> them in TDI 6.1.1.
>
> One issue with AD groups with 5k members is that you do not get the
> full list of group members, only 1500 at a time (Win2k3 forest). So
> having a look into the TDI API, I spotted a few functions such as
> addAttributeValue, replaceAttributeValue and removeAttributeValue.
>
> So I created a test AL with one passive LDAP connector in update mode,
> and a script. The script contains the following lines:
>
> try {
> task.logmsg("Attempting group add");
>
> "member",
> "cn=tester1,ou=users,dc=ad,dc=com"
> );
> task.logmsg("Group add successful");} catch (e) {
>
> task.logmsg("Group add failed");
> task.logmsg(e);
>
> }
>
> I got a failed message with error:
>
> javax.naming.OperationNotSupportedException: [LDAP: error code 53 -
> 0000054F: SvcErr: DSID-031A120C, problem 5003 (WILL_NOT_PERFORM), data
> 0
>
> Is there something else required to use this function? Otherwise, if
> anyone could suggest another way to update AD group membership without
> resorting to pulling all 5k entries for a compare, would be most
> appreciated.
>
> Thank you.
I have not tried using these methods on AD, but it looks like AD's is
> "cn=tester1,ou=users,dc=ad,dc=com"
> );
> task.logmsg("Group add successful");} catch (e) {
>
> task.logmsg("Group add failed");
> task.logmsg(e);
>
> }
>
> I got a failed message with error:
>
> javax.naming.OperationNotSupportedException: [LDAP: error code 53 -
> 0000054F: SvcErr: DSID-031A120C, problem 5003 (WILL_NOT_PERFORM), data
> 0
>
> Is there something else required to use this function? Otherwise, if
> anyone could suggest another way to update AD group membership without
> resorting to pulling all 5k entries for a compare, would be most
> appreciated.
>
> Thank you.
not LDAP compliant enough to permit this operation.
You might want to use the boolean compare() method first (also from
the LDAP Connector) before attempting to add a new value. I have
experienced that the add fails if the value already exists.
-Eddie
Frederick Lee
Feb 9, 2012, 4:36:01 PM2/9/12
to
On Feb 9, 11:27 pm, Eddie Hartman <eddiehart...@gmail.com> wrote:
> I have not tried using these methods on AD, but it looks like AD's is
> not LDAP compliant enough to permit this operation.
>
> You might want to use the boolean compare() method first (also from
> the LDAP Connector) before attempting to add a new value. I have
> experienced that the add fails if the value already exists.
>
> -Eddie
Bummer! I thought that with ADO in VBScript supporting append mode for
> I have not tried using these methods on AD, but it looks like AD's is
> not LDAP compliant enough to permit this operation.
>
> You might want to use the boolean compare() method first (also from
> the LDAP Connector) before attempting to add a new value. I have
> experienced that the add fails if the value already exists.
>
> -Eddie
AD that it would be compliant enough.
The group I was trying this against only had a few users, so I was
sure the user did not exist. Thank you for the tip, will definitely
remember that for the future.
So if I were to go back to a standard LDAP connector set to update
mode with compute changes enabled, would it be able to handle a group
with 5k users where I'm adding a user to the member attribute? Or will
I need to add the user to the appropriate range attribute e.g. member;
0-1499?
Thank you.
Fred
Eddie Hartman
Feb 10, 2012, 12:30:17 PM2/10/12
to
Fred :) AD itself may balk if TDI ends up trying to add a new member
that was not in the 'page' returned by the Lookup, in which case you
catch this in the Error Hook and just continue.
-Eddie
0 new messages