Home Forums Identity Governance Authoritative Guide on AD Powershell Config Reply To: Authoritative Guide on AD Powershell Config

#2716
Neil Herbert
Participant

One of the most common issues appears to be this one:

Nothing has been found in target system. Configuration query was:Get-ADUser -filter *
Nothing has been found in target system. Configuration query was:Get-ADUser -Filter {objectClass -eq “user”}

I’ve replied to a number of posts that state this error. The first thing to check if whether the connector is talking to OpenIAM. This error usually indicates that there is a communications issue with the connector and OpenIAM.

Go to the Managed Systems page and check that the status is in green and has a recent timestamp. I believe connectors are meant to check in every 60 seconds.

If green check the logs. Details of how to view the AD Powershell Connector logs can be found in the docs here.

Check for errors in the logs as well as whether it’s getting requests from RabbitMQ and whether it starts to try and collect what has been asked for. Watch the task manager, increased memory use for the AD Powershell Connector is a good indicator that it’s doing something.

You should limit the scope of what you are requesting with your search query, such as only selecting the attributes needed. I’ve seen 70,000 user objects without specifying the attributes needed using 4gb of ram! Start by limiting the scope to just one user and try again. If limiting it to one user works, it’s likely a timeout issue, otherwise it’s likely to be an issue with your search query or maybe even permissions. Information on what to use as a search query can be found on the docs here. Try running the same query manually in Powershell and see if you get any results.

If you have more than a handful of user objects in AD, the chances are that this error indicates a timeout issue. Watch the stdout and stderr for your OpenIAM services, you may see an error stating that a response was not received in time from RabbitMQ. If you see this the AD Powershell Connector is taking too long to respond, this means it’s got a lot of data to get and process. The default timeout is either 30 or 60 seconds (can’t remember which) in which OpenIAM will wait for a response before abandoning the request. I don’t think this is in the docs, but you need to increase the timeout for the IDM and Synchronization service. You do this by adding new parameters to the javaopts within your deployment. I can’t remember the exact settings but can find them later.

Feel free to chip in things I’ve missed, correct me with things I’ve gotten wrong.