Return
-
Title
HOW TO: Completely disable Dynamic Group functionality within Active Roles -
Description
Dynamic Group functionality within the Active Roles Administration Service is enabled by default.
There is some overhead associated with leaving this functionality enabled, notably there could be relatively expensive LDAP queries performed against Active Directory such as the following:
(&(objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=domain,DC=com)(accountNameHistory=*[DG]*))
-
Cause
If Dynamic Groups are not leveraged in the environment, it may be desired to disable the feature in order to prevent any overhead.
-
Resolution
- In the Active Roles Console, as a Active Roles Admin, navigate to: Configuration | Policies | Administration | Builtin | Builtin Policy - Dynamic Groups and remove any entries from the Scope of that policy
- Then, navigate to Configuration | Server Configuration | Scheduled Tasks | Builtin and disable both the Dynamic Group Checker and Dynamic Group Updater scheduled tasks