How to effectively remove user from large policy group?
Now i use:
dirEntry = new DirectoryEntry(…
dirEntry.Properties["msDS-PSOAppliesTo"].Remove(userDn);
problem: dirEntry only holds upto 1500 users. i have more than 1M users so i have to loop over using paging untill i find entry that holds the user, and only then call Remove(userDn). IT TAKES TO LONG, HOW DO I REMOVE THE USER POLICY MORE EFFECTIVELY?
Seemed like that would work. Guess not. When I am adding/removing users from groups I normally use DE.Invoke("Remove", UserDistinguishedName). According to this link it will work and you should not have to loop through the members.
antricode
Member
2 Points
2 Posts
remove user from large policy group using ldap
Dec 20, 2011 08:16 AM|LINK
How to effectively remove user from large policy group?
Now i use:
dirEntry = new DirectoryEntry(…
dirEntry.Properties["msDS-PSOAppliesTo"].Remove(userDn);
problem: dirEntry only holds upto 1500 users. i have more than 1M users so i have to loop over using paging untill i find entry that holds the user, and only then call Remove(userDn). IT TAKES TO LONG, HOW DO I REMOVE THE USER POLICY MORE EFFECTIVELY?
CURRENT UNEFFECTIVE CODE:
DirectoryEntry dirEntry = null;
string LDAPQuery = LDAP_INIT + "CN=" + policy + ",CN=Password Settings Container,CN=System," + LDAP;
dirEntry = new DirectoryEntry(LDAPQuery, DOMAIN + "\\" + ADS_ADMIN.userName, ADS_ADMIN.pwd);
dirEntry.AuthenticationType = AuthenticationTypes.Secure;
int ctr = 0;
while (ctr < 1000)
{
if (ctr == 0)
dirEntry.RefreshCache(new string[] { "msDS-PSOAppliesTo;range=0-1000" });
else
dirEntry.RefreshCache(new string[] { "msDS-PSOAppliesTo;range=" + ((ctr * 1000) + 1).ToString() + "-" + ((ctr + 1) * 1000).ToString() });
if (dirEntry.Properties["msDS-PSOAppliesTo"].Contains(userDn))
{
dirEntry.Properties["msDS-PSOAppliesTo"].Remove(userDn);
dirEntry.CommitChanges();
break;
}
ctr++;
}
policy
gww
Contributor
2143 Points
458 Posts
Re: remove user from large policy group using ldap
Dec 20, 2011 01:48 PM|LINK
You can remove the group from the memberof property of the user. You will need the DistinguishedName of the group as the GroupName
policy
antricode
Member
2 Points
2 Posts
Re: remove user from large policy group using ldap
Dec 21, 2011 01:29 PM|LINK
Not working, in ldap Member-of is read-only property
gww
Contributor
2143 Points
458 Posts
Re: remove user from large policy group using ldap
Dec 21, 2011 05:45 PM|LINK
Seemed like that would work. Guess not. When I am adding/removing users from groups I normally use DE.Invoke("Remove", UserDistinguishedName). According to this link it will work and you should not have to loop through the members.