locked
remove user from large policy group using ldap RRS feed

  • Question

  • How to effectively remove user from large policy group?
    Now i use:
    dirEntry = new DirectoryEntry(…
    dirEntry.Properties["msDS-PSOAppliesTo"].Remove(userDn);
    problem: dirEntry only holds upto 1500 users. i have more than 1M users so i have to loop over using paging untill i find entry that holds the user, and only then call Remove(userDn). IT TAKES TO LONG, HOW DO I REMOVE THE USER POLICY MORE EFFECTIVELY? CURRENT UNEFFECTIVE CODE: DirectoryEntry dirEntry = null;
    string LDAPQuery = LDAP_INIT + "CN=" + policy + ",CN=Password Settings Container,CN=System," + LDAP;
    dirEntry = new DirectoryEntry(LDAPQuery, DOMAIN + "\\" + ADS_ADMIN.userName, ADS_ADMIN.pwd);
    dirEntry.AuthenticationType = AuthenticationTypes.Secure;
    int ctr = 0;
    while (ctr < 1000)
    {
    if (ctr == 0)
    dirEntry.RefreshCache(new string[] { "msDS-PSOAppliesTo;range=0-1000" });
    else
    dirEntry.RefreshCache(new string[] { "msDS-PSOAppliesTo;range=" + ((ctr * 1000) + 1).ToString() + "-" + ((ctr + 1) * 1000).ToString() });
    if (dirEntry.Properties["msDS-PSOAppliesTo"].Contains(userDn))
    {
    dirEntry.Properties["msDS-PSOAppliesTo"].Remove(userDn);
    dirEntry.CommitChanges();
    break;
    }
    ctr++
    }
    GC
    • Moved by Rich Prescott Wednesday, December 21, 2011 4:47 AM C# querying AD (From:The Official Scripting Guys Forum!)
    Tuesday, December 20, 2011 11:32 AM

Answers

  • Also note that we do not apply policy to users but we apply it to containers that the user is in. 

    There is no 1500 limit.  The 1500 limit is the maximum default number of objects returned by an LDAP query.  Set the resultsize to something less that 1500 and it will return all items.  If you set 500 it will return 500 in a batch but will keep batching until all objects are returned.

    Policy links would be very unusable if you linked to the user objects directly.  If you link thousands of users GP would be very slow.  I suspect you could break AD.

    You really should post to an AS developer forum as they can explain this at your code level (C#)

    If you really want to apply granular password policy to large groups of users then add groups to the policy and not users.  That way you will not have to enumerate through thousands of items.

    Create groups that model you enterprise and add the groups.

     

     


    jv


    Tuesday, December 20, 2011 12:48 PM
  • The AD forum is named "Directory Services": http://social.technet.microsoft.com/Forums/en/winserverDS/threads

    Thanks!


    Ed Price (a.k.a User Ed), SQL Server Experience Program Manager (Blog, Twitter, Wiki)

    Monday, April 9, 2012 4:04 PM

All replies

  • How to effectively remove user from large policy group?
    Now i use:
    dirEntry = new DirectoryEntry(…
    dirEntry.Properties["msDS-PSOAppliesTo"].Remove(userDn);
    problem: dirEntry only holds upto 1500 users. i have more than 1M users so i have to loop over using paging untill i find entry that holds the user, and only then call Remove(userDn). IT TAKES TO LONG, HOW DO I REMOVE THE USER POLICY MORE EFFECTIVELY? CURRENT UNEFFECTIVE CODE: DirectoryEntry dirEntry = null;
    string LDAPQuery = LDAP_INIT + "CN=" + policy + ",CN=Password Settings Container,CN=System," + LDAP;
    dirEntry = new DirectoryEntry(LDAPQuery, DOMAIN + "\\" + ADS_ADMIN.userName, ADS_ADMIN.pwd);
    dirEntry.AuthenticationType = AuthenticationTypes.Secure;
    int ctr = 0;
    while (ctr < 1000)
    {
    if (ctr == 0)
    dirEntry.RefreshCache(new string[] { "msDS-PSOAppliesTo;range=0-1000" });
    else
    dirEntry.RefreshCache(new string[] { "msDS-PSOAppliesTo;range=" + ((ctr * 1000) + 1).ToString() + "-" + ((ctr + 1) * 1000).ToString() });
    if (dirEntry.Properties["msDS-PSOAppliesTo"].Contains(userDn))
    {
    dirEntry.Properties["msDS-PSOAppliesTo"].Remove(userDn);
    dirEntry.CommitChanges();
    break;
    }
    ctr++
    }
    GC


    You are in the wrong forum.  This is a scripting forum.  You are using C# code.  Please post in a developer forum for AD.

     


    jv
    • Edited by jrv Wednesday, December 21, 2011 4:54 AM
    Tuesday, December 20, 2011 12:43 PM
  • Also note that we do not apply policy to users but we apply it to containers that the user is in. 

    There is no 1500 limit.  The 1500 limit is the maximum default number of objects returned by an LDAP query.  Set the resultsize to something less that 1500 and it will return all items.  If you set 500 it will return 500 in a batch but will keep batching until all objects are returned.

    Policy links would be very unusable if you linked to the user objects directly.  If you link thousands of users GP would be very slow.  I suspect you could break AD.

    You really should post to an AS developer forum as they can explain this at your code level (C#)

    If you really want to apply granular password policy to large groups of users then add groups to the policy and not users.  That way you will not have to enumerate through thousands of items.

    Create groups that model you enterprise and add the groups.

     

     


    jv


    Tuesday, December 20, 2011 12:48 PM
  • The AD forum is named "Directory Services": http://social.technet.microsoft.com/Forums/en/winserverDS/threads

    Thanks!


    Ed Price (a.k.a User Ed), SQL Server Experience Program Manager (Blog, Twitter, Wiki)

    Monday, April 9, 2012 4:04 PM