[AD Import] Having Timeout
Question
ad-import
Web icon
Forge component by Fábio Fantato

Hi 


Im having timeout when I run the sync. My Ad is about 2000 plus users.

Increase the timeout value of the timer that runs the job. By default it is set to 20 mins. 

I found out the issue is cause by the "IsUserInGroup" method in the extension module. The method is retrieving the all the group members and compares check if the user using a for loop. Which means if the AD consists of 2000 users. It will loop 2000 times. I have change the code to such that I retrieve the user's Ad group and compare with the AD group. This will be more efficient as the chances of a user having 2000 AD groups is smaller.

I'm experiencing the same problem, we even set the timeout value to six hours and it timed out. Regarding Amoz's solution, I've read online that searching Groups for users is actually the most efficient way to query AD to determine whether a user is a member of a Group, since it's Groups that store the User membership information, not Users.

In fact, querying Users for their Group memberships isn't the most straightforward thing to do in AD. There are a few methods in System.DirectoryServices.AccountManagement that can be used, but all have their weaknesses:

  • UserPrincipal.GetGroups()
    Doesn't return nested groups
  • UserPrincipal.GetAuthorizationGroups()
    Returns nested groups, but doesn't return Distribution Groups, which I need
  • UserPrincipal.IsMemberOf()
    Doesn't work for parent Groups when Groups are nested, and I've read the performance is worse than GroupPrincipal.GetMembers(true) and iterating that list, although I haven't benchmarked it myself

Alternatively, you can use DirectoryEntry and DirectorySearcher and an LDAP query, as described here, but the problem I ran into was that I couldn't find a way to create the DirectoryEntry object with the necessary LDAP query without running into authentication problems, since I don't have a username and password I can pass. The only way I could find to instantiate a new DirectoryEntry object was to use the DirectoryEntry(object) constructor, passing it a Principal (either UserPrincipal or GroupPrincipal) instance, not using the DirectoryEntry(string) constructor as shown in the example. And even if I did find a way to implement it this way, I'm not sure if it would be faster than the current implementation of iterating through the group members (GroupPrincipal.GetMembers(true)).

If anyone has in fact improved performance of the IsUserInGroup method, or in fact any other part of AD Import, please let me know!

Thanks,
Kirk

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.