This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Stop evaluating group membership

Hi,
Is there a way of stopping NSM from checking group membership? We only use NSM for Home directory management and therefore just use the home drive attribute in AD. In our environment, we have scripts that generate group memberships based on the OU for the user in AD but because these groups can be very large - we are a University and our "all students" group has over 40,000 members - the scripts remove and re-add all the users on a fairly regular basis and NSM picks this up and we see 80,000 plus events queued, which are "evaluating group membership remove" and then "evaluating group add". We have been trying to revisit our scripts but cannot find an efficient way of just updating changes to the group membership rather than recreating from scratch so I was hoping there was a way to get nsm to ignore these changes. Any help would be appreciated (even a vbscript that would modify the groups...)

Thanks,

Dave
  • 0
    On 2/24/2014 8:26 AM, Davey1 wrote:
    >
    > Hi,
    > Is there a way of stopping NSM from checking group membership? We only
    > use NSM for Home directory management and therefore just use the home
    > drive attribute in AD. In our environment, we have scripts that generate
    > group memberships based on the OU for the user in AD but because these
    > groups can be very large - we are a University and our "all students"
    > group has over 40,000 members - the scripts remove and re-add all the
    > users on a fairly regular basis and NSM picks this up and we see 80,000
    > plus events queued, which are "evaluating group membership remove" and
    > then "evaluating group add". We have been trying to revisit our scripts
    > but cannot find an efficient way of just updating changes to the group
    > membership rather than recreating from scratch so I was hoping there was
    > a way to get nsm to ignore these changes. Any help would be appreciated
    > (even a vbscript that would modify the groups...)
    >
    > Thanks,
    >
    > Dave
    >
    >

    Dave,

    Turning off this calculation is not possible.

    If you'd like, send us an email at storagemanager@novell.com with some
    more details about these scripts and what you're trying to accomplish.
    We may be able to find some other optimizations.

    -- NFMS Support Team
  • 0 in reply to 
    I had a similar request from our MIS team. I found this article to be useful: http://dx21.com/ezine/p2p/article.aspx?ID=95 and thought that I may be able to update the groups in PowerShell (it require the ActiveDirectory module to be installed):

    import-module ActiveDirectory

    $GroupName = "CN=Test group,OU=Test,DC=TEST,DC=local"
    $ExistingMembers = get-adgroupmember $GroupName | foreach {$_.SamAccountName.ToString()}
    $UpdatedMembers = Get-Content("F:\Scripts\ NewGroupMembers.txt")

    compare-object $ExistingMembers $UpdatedMembers

    $AccountsToAdd = compare-object $ExistingMembers $UpdatedMembers | where-object {$_.SideIndicator -eq "=>"} | Select-Object InputObject
    $AccountsToRemove = compare-object $ExistingMembers $UpdatedMembers | where-object {$_.SideIndicator -eq "<="} | Select-Object InputObject

    $AccountsToAdd | foreach {Add-ADGroupMember -Identity $GroupName -Member $_.InputObject}
    $AccountsToRemove | foreach {Remove-ADGroupMember -Identity $GroupName -Member $_.InputObject}


    The script reads the membership of an existing group into an array variable and then reads a list of users from a file into an array variable (this could easily be from a database instead). It then uses the PowerShell compare-object cmdlet to get a list of objects to add to the group and also a list of object to remove. It then performs the actions.

    As you can see, only changes are made to the group, rather than a full removal and re-add of members.

    Hope this helps.

    Regards,

    Jonathan