000035931 - Incomplete Collection of AD Groups in RSA Identity Governance & Lifecycle

Document created by RSA Customer Support Employee on Jun 26, 2018
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000035931
Applies ToRSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.0.1, 7.0.2
 
IssueAn attempt is made to collect around 17K groups starting at the root domain.  For example:

Group Base DN:   DC=CompanyXYZ, DC=com


The search criteria is

(&(objectCategory=Group)(objectClass=group))


The Test button for Group Data in the collector edit screen may indicate that the first 1000 is found.
 
User-added image


The Test button may on occasion show a timeout which is not recorded in the aveksaServer.log

Upon collection, only a handful of AD administrative groups show up in the raw data for the collection.
CauseDue to the search starting at the top of the domain, we query the root referrals of DNSZones, Configuration, and Schema.

Because of the referral, you will end up in other parts of the tree for which the account you are using has no access rights, hence you collect less or even nothing.

 
Resolution
In the collector definition, please make sure that you check the Ignore Referrals box.
 


Check Ignore referral



This will allow the Collector to find and pull in all groups in the domain.

We also suggest that you use a more targeted entry point in the tree, so that ACM collections do not search unnecessarily large areas.

Attachments

    Outcomes