3 Replies Latest reply on Apr 19, 2010 4:01 AM by Lionel

    DisableLdapGroupEnumeration

    zman Master

       

      Was just trying to get a warm and fuzzy on using the above in an AD environment of about 15,000 nodes with about 20-30 ldap policies per user.

       

       

      Is anybody using this?

       

       

      Any issues?

       

       

      I realize there are numerous variables to take into consideration concerning using this setting, and just want to see if anyone is using it and has any issues?

       

       

       

       

       

      Thanks.

       

       

        • 1. Re: DisableLdapGroupEnumeration
          pk Employee

           

          Seen it in production with a customer around 8500 nodes, probably roughly the same number of policies per user (~600 total application policies).  It's humming along now, here were some of things encountered initially:

           

           

          1)  Database backend needs to be tuned (i.e., proper tables reindexed) and have the horsepower to support the more frequent lookups

           

           

          2)  IIS should be setup with app pools for the policy web service (setup by default in 8.8 under LDAPPMain) but this customer started on 8.7.

           

           

          3)  Evalute how often policies are being checked on clients.  This customer was checking multiple times an hour prior to enabling LDAPGroupEnumeration and that proved overwhelming even after tuning.  Once this was trimmed back to more reasonable levels, it worked quite well.

           

           

          Hope this helps.

           

           

          • 2. Re: DisableLdapGroupEnumeration
            zman Master

             

            Paul,

             

             

            Thanks for the insight, that's exactly what I was looking for.

             

             

            • 3. Re: DisableLdapGroupEnumeration
              Apprentice

              Hi,

               

              I would like to have a little bit more information regarding this setting, "LDAPGroupEnumeration".

              I have a customer that deploy software only via AD group on LDMS 8.8 SP3. Around 600 policies for 9000 clients and only at logon...

               

              today, it's works but sometimes it's not really reliable. Making 2 devices in the same time, with same options, the software are not installled in the same way. One is running fast end them the second you need to wait a lot to have something...

              The most famous reg key, DisableLdapGroupEnumeration are not enable on the client, should I enable this? Is it mandatory, helpfull or not? What impact?

               

              Many thanks for your experience.

              Regards

              lionel