This week my post will be about catching Active Directory Group Membership changes. I choose this subject, because I still see and get questions about how long does it take before a group membership change is active in a collection. The short answer would be, based on default settings, between 1 till 10 minutes. In the rest of this post I will show a longer answer on why it’s like that. The main reasons are that the Delta Discovery and the Incremental Updates are working now.
The most important part to quickly catch Active Directory Group Membership changes, is a good configuration. For that two configurations are very important, the Active Directory Group Discovery and the collection settings. To show how, and how fast, it works, I will show it with my Microsoft Office 2013 Security Group and that means the following configuration:
- First thing is to enable delta discovery. To configure the delta discovery navigate to Administration > Overview > Hierarchy Configuration > Discovery Methods. Now double-click Active Directory Group Discovery to open the Active Directory Grou Discovery Properties and go to the Polling Shedule –tab. Select Enable delta discovery and leave the Delta discovery interval (minutes) default.
- Note: Delta discovery does NOT work for deleted objects from the Active Directory.
- Second thing is to configure the collection query and to enable incremental updates on the collection. To configure the incremental updates navigate to the collection Properties and then the Membership Rules –tab. Now select Enable Use incremental updates for this collection and add a Query Rule for the members of the Microsoft Office 2013 Security Group. For that add the following query:
select SMS_R_USER.ResourceID,SMS_R_USER.ResourceType,SMS_R_USER.Name,SMS_R_USER.UniqueUserName,SMS_R_USER.WindowsNTDomain from SMS_R_User where SMS_R_User.UserGroupName = "PETERTEST\\Microsoft Office 2013"
- Note: To change the interval for incremental updates take a look at this post.
Now making a change to the group membership of the Microsoft Office 2013 Security Group will trigger the following reaction. The first thing that happens, within 5 minutes, is that the Active Directory Group Discovery will start to run. This can be followed in the adsgdis.log and looks like this:
One of the things that this log shows, is that a Data Discovery Record (DDR) was written for group ‘PETERTEST\Microsoft Office 2013’. This DDR looks like this:
| FV° <User Group> BEGIN_PROPERTY <8><Unique Usergroup Name><19><32><PETERTEST\Microsoft Office 2013> END_PROPERTY BEGIN_PROPERTY <0><Usergroup Name><19><32><Microsoft Office 2013> END_PROPERTY BEGIN_PROPERTY <17><Active Directory Organizational Unit><19><64> BEGIN_ARRAY_VALUES <PETERTEST.LOCAL/PETERTEST><PETERTEST.LOCAL/PETERTEST/GROUPS><PETERTEST.LOCAL/PETERTEST/GROUPS/APPLICATION> END_ARRAY_VALUES END_PROPERTY BEGIN_PROPERTY <17><Active Directory Container Name><19><64> BEGIN_ARRAY_VALUES END_ARRAY_VALUES END_PROPERTY BEGIN_PROPERTY <0><Windows NT Domain><19><32><PETERTEST> END_PROPERTY BEGIN_PROPERTY <0><AD Domain Name><19><32><PETERTEST.LOCAL> END_PROPERTY BEGIN_PROPERTY <0><SID><19><64><S-1-5-21-3410556430-1908461509-240868779-1127> END_PROPERTY BEGIN_PROPERTY <0><Object GUID><3><16><0x03E526344A6AEC4889CDCC6DC07A26DE> END_PROPERTY BEGIN_PROPERTY <0><Group Type><8><4><-2147483646> END_PROPERTY AGENTINFO<SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT><PTP><02/23/2013 20:35:01> FEOF FV
After this DDR is processed into the database the next (incremental) collection evaluation will pick up the new member of the Microsoft Office 2013 Security Group as a new member of the collection (PTP00000B). This can be followed in the colleval.log and looks like this:
As my log files show, this whole process took less then a minute. So when a user is added right before the delta discovery starts it can be within a minute that the user is part of the collection. In the most extreme situation when a user is added right after the delta discovery had run and then, when the delta discovery finally runs again, it runs so long that the incremental collection update didn’t pick up the change yet, it takes up two full cycles of, in this sample, 5 minutes. So, also the long answer is between 1 till 10 minutes.