HP Identity Driven Manager Software Series User Manual
Page 67
2-47
Getting Started
User Session Information
■
Users deleted from Active Directory while synchronization is
disabled are assigned to the default Access Policy group during the
resynchronization process (instead of being deleted). This prevents
users who were added by another method from being deleted.
■
Within a Realm, Access Policy Group names must be unique. If Access
Policy Groups are being created manually within the same Realm, use
naming conventions to ensure these names do not conflict with Active
Directory group names.
■
Performance for the import from Active Directory to IDM varies
depending on your environment. Using a 1.86 GHz processor with
2GB RAM, importing 20,000 Active Directory users in 75 groups takes
approximately 65 minutes. A similar test that imported 10,000 of
20,000 users by selecting 2 of the 75 groups completed in 30 minutes.
■
Once the initial synchronization is completed, IDM monitors all
changes to the Active Directory which much less system resources.
If Active Directory synchronization is disabled or IDM is restarted, all
groups must be resynchronized.
■
Importing only relevant groups can reduce the import time signifi-
cantly. Selecting only groups of users for which access policies are
defined instead of selecting the Domain Users group (which includes
all users in the domain) can significantly reduce the amount of
information that must be maintained in IDM and synchronized with
Active Directory.
■
When Active Directory is queried for the "Add or Remove Groups"
function in IDM, it may take several seconds to display the list of
available groups. An hourglass is displayed when such an extended
process is occurring. Performance will vary depending on your envi-
ronment. Using a 1.86 GHz Intel Core2 Duo processor with 2GB RAM
takes approximately 30 seconds to present a list of 20,000 groups.
■
If an error occurs while attempting to read the Active Directory, an
entry is made in the IDM events log, and IDM attempts to reconnect
to Active Directory once per minute.