Define AD User Group Scope

Background
Administrator can now specify the scope of AD user groups when querying AD server. This should improve the performance during user login and all other places that requires access to the AD server. 

Setup Steps
When login into Analyzer, Analyzer has to query AD server to gather all groups that the user belongs to in order to know which Analyzer roles the user belongs to. If nested groups are used within the AD environment then it is a chance the query operation may take a long time. To reduce un-necessary AD access, now it is possible for an administrator to limit the scope of AD access by specifying the following 3 keys and values in Web.config (\program files\analyzer\web):

1. Control Group Range

<add key="AD.UserGroupRange" value="13"/>

The chart below shows the value and the depth of the scope:

The number indicates different group types, for example:
0 = all AD groups are ignored (Analyzer will not look for users inside all group types)
15 = check all group types, THIS IS THE DEFAULT SETTING.
13 = scope include Nested(8) + Domain(4) + Local(1)

Local = local group on the server where Analyzer is installed
Fast = obtaining group through .NET, however the result might not be complete
Domain = search in AD
Nested = search in AD plus any nested groups

Administrator can adjust the value accordingly to limit the query scope to improve performance.

2. Display all groups retrieved by Analyzer in the User Working Area

Optionally adding the following key to the Web.config will display all the groups that the user belongs to.


<add key="AD.ShowUserGroups" value="true"/>

3. LDAP Object Scope

Adding the following key to the Web.config to controls LDAP object scope. Please note this only applies when LDAP server is in use.

<add key="AD.UserObjectFilter" value="(objectCategory=person)(objectClass=user)"/>

 

 

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.