Previous Topic: ADSI Option

Next Topic: Force Logging

ADS_MANAGE_GROUPS

For an account template marked as strong sync policy, previously for account sync operation (that is, Synchronize Account with Account Template, or Check Account Sync) the ADS option may fail to find remote Universal Group that the account belongs to. For example, if an account on domain D1 is a member of a Universal Group on domain D2, a sync operation may not notice that the account belongs to that remote Universal Group.

CA Identity Manager supports a mode where the user can specify whether to search the global catalog to find Remote Universal Groups that the account may be a member of, when performing a sync operation.

In some environments, not all domains of an Active Directory forest are managed by CA Identity Manager. For example, a hypothetical AD forest has three domains, D1, D2 and D3. You have two Identity Manager-managed domains D1 and D2 (that is, you acquire D1 and D2). You can specify whether the new global catalog search feature manages Universal Groups from all domains (D1, D2, and D3), or just the Identity Manager-managed domains (D1 and D2). If you choose to have the new global catalog search feature only deal with Identity Manager-managed domains, then CA Identity Manager will not deal with groups on domain D3, even if the account belongs to a group that resides on domain D3. For example, if the account's policy indicates that it should not belong to any group, and your account belongs to a Universal Group on domain D3, a check account sync operation will not show that the account is out-of-sync, if you chose to deal only with Identity Manager-managed domains. If you chose to deal with all domains, then the account will be considered out-of-sync (even when domain D3 is not managed by CA Identity Manager).

By default the sync feature is off.

To run this global catalog search feature, you have to set the environment variable ADS_MANAGE_GROUPS.

ADS_MANAGE_GROUPS can be set to xy as defined in the following paragraphs.

The first digit x - can be 0 or 1:

The second digit y - can be 0 or 1:

Note: The x value must be set to 1 in order for the y value to have any affect.

Once this environment variable is set, you must restart the C++ Connector Server for the variable to take effect.