Incomplete Collection of AD Groups in RSA Identity Governance & Lifecycle
2 years ago
Originally Published: 2018-01-17
Article Number
000041408
Applies To
RSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.0.1, 7.0.2
 
Issue
An attempt is made to collect around 17K groups starting at the root domain.  For example: 
Group Base DN:   DC=CompanyXYZ, DC=com

The search criteria is 
(&(objectCategory=Group)(objectClass=group))

The Test button for Group Data in the collector edit screen may indicate that the first 1000 is found.
 
User-added image

The Test button may on occasion show a timeout which is not recorded in the aveksaServer.log

Upon collection, only a handful of AD administrative groups show up in the raw data for the collection.
Cause
Due to the search starting at the top of the domain, we query the root referrals of DNSZones, Configuration, and Schema.

Because of the referral, you will end up in other parts of the tree for which the account you are using has no access rights, hence you collect less or even nothing.

 
Resolution
In the collector definition, please make sure that you check the Ignore Referrals box.
 
Check Ignore referral


This will allow the Collector to find and pull in all groups in the domain.

We also suggest that you use a more targeted entry point in the tree, so that ACM collections do not search unnecessarily large areas.
Don't see what you're looking for?