Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000035931 - Incomplete Collection of AD Groups in RSA Identity Governance & Lifecycle

Document created by RSA Customer Support

on Jun 26, 2018

Version 1Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

Article Content

Article Number	000035931
Applies To	RSA Product Set: RSA Identity Governance & Lifecycle RSA Version/Condition: 7.0.1, 7.0.2
Issue	An attempt is made to collect around 17K groups starting at the root domain. For example: Group Base DN: DC=CompanyXYZ, DC=com The search criteria is (&(objectCategory=Group)(objectClass=group)) The Test button for Group Data in the collector edit screen may indicate that the first 1000 is found. The Test button may on occasion show a timeout which is not recorded in the aveksaServer.log Upon collection, only a handful of AD administrative groups show up in the raw data for the collection.
Cause	Due to the search starting at the top of the domain, we query the root referrals of DNSZones, Configuration, and Schema. Because of the referral, you will end up in other parts of the tree for which the account you are using has no access rights, hence you collect less or even nothing.
Resolution	In the collector definition, please make sure that you check the Ignore Referrals box. This will allow the Collector to find and pull in all groups in the domain. We also suggest that you use a more targeted entry point in the tree, so that ACM collections do not search unnecessarily large areas.

Attachments

Outcomes

0 Comments

Recommended Content