Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

ADSI importing only 20,000 Groups into Saviynt from AD Production

ReshamDas
Regular Contributor
Regular Contributor

Hi,

We configured an ADSI connection in Production environment, after proper POC in the non-Prod without any issues. However, in the Production environment, we find that the ADSI access import job is fetching only 20,000 AD groups into Saviynt while there are actually 71K+ groups available in AD under the defined search filter.

Please note that the ADSI account import job is able to fetch 124K+ account records without an issue, but the access import job is unable to fetch all records, and on each run, it sticks to 20,000 groups only. The configuration is same between non-Prod and Prod, but the non-Prod access import job works fine, bringing all 71K+ groups from non-Prod AD.

We tested with changing the AD DC hostname, and also we updated the timeout value from 300 to 3000, but the results were same in all the cases. Also, we checked with the client AD team to enquire on possible ldap search limitation, but they ensured that there is no such limitation.

PFA the Connection configuration, Security System config, Endpoint config, Saviynt access import job logs, ADSI logs data for the Production ADSI setup.

Kindly suggest.

2 REPLIES 2

rushikeshvartak
All-Star
All-Star

Validate resource allocation in prod vs dev with Saviynt support 


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

ReshamDas
Regular Contributor
Regular Contributor

This issue is resolved now. There was a search limit of 20,000 found on the base DN for searching groups (DC=AM,DC=MDS,DC=XXX,DC=COM):-

ReshamDas_0-1723222439886.png

 

When we updated the search base DN to one level up (OU=XXX,DC=AM,DC=MDS,DC=XXX,DC=COM), with confirmation from client AD team that all the AD groups reside under this container, we saw it was returning totalRecord as the actual count of AD groups in Prod:-

ReshamDas_1-1723222978810.png

With this new search base DN, we executed the ADSI access import job in Prod again, and this time, it brought all 71K+ AD groups.