Skip to Content.
Sympa Menu

grouper-users - RE: [grouper-users] PSPNG Provisioned groups in AD

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] PSPNG Provisioned groups in AD

Chronological Thread 
  • From: "Black, Carey M." <>
  • To: "Weston, Todd" <>, "" <>
  • Subject: RE: [grouper-users] PSPNG Provisioned groups in AD
  • Date: Wed, 26 Feb 2020 19:26:41 +0000
  • Arc-authentication-results: i=1; 1; spf=pass; dmarc=pass action=none; dkim=pass; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed;; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kgYOzqqpRjIGFtquhxyszSsexjMOnWH9lS7fvkn4GHY=; b=br1CtPsAuJhEH4v4s5wkKJyc/m1L4oHZiioVtH+3uccAe/QE/W8lRnMGx78uXqTuMU9Eo1j80qZmP/3yazvu0RUVJytf369NW22/dgre1FCWKEBWrD9nGOrH58MC1d07ksFsvhy2SsqivHvUi9TIfGkBcapJDqopGdslwDahh70ZuOUTs5VrWjzX2P+kdd5iT/xkoOzPWUxk1r/mAgmk7n69VUzjC7GCClBNKpDNJa4dlLK2uhrlcgbpFrMTo+YSv3Np/u2aesutjIQKlV+6De4eiGISZWC7Q8s0a7mBprCS0xC7sNkRA5QEIcLCbcYXoqHvOsCLFC2th9sikOh1gg==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901;; cv=none; b=HuJOiF8dzudceGBVTaLcOboumWv1bhVCVpheRZsUbSCv/TP2E0Jc9wCawHw1ZmOwgG7v2lLmDCZisfqIiRU5jWq18kApdORVGABetsJ9YtuKEuRuDg+Uf+2NdQJp8gfLsA4yrckLZBp3vlN5uMJAhyskJkIiFJ2L6nBYIEiUhb2GyZU1GEgDEKaGqxfrM/6BPnRGrFMvTrrhZFLpKX4gaVYKQfAIddOdkJxWFNjh4Nj21F13K3BPuqr2GJ2eoQy8GYeXjeSW5r3t5pcWJI7qugNAr2HHP+NsnzdIulE+V4Y0Oboho8QiJ3acQad5o9s3YTD+xBdVZ1+Cl4iKUkMcLQ==



RE: Manual modifications

                It depends on how you have it configured and when the “full provisioning runs”. When it runs it should correct the memberships (adds and/or removes) to match what is in Grouper.


                NOTE: The grouper tooling does not “listen for changes”. Rather the jobs run on a “cron type”(time of day) schedule. So if you only correct the group “once a day” it will be right at least once a day. :)

                                It is best to help your AD admin know that the groups “in that OU” are not to be manually/directly altered. ( Use Policy instead of Technology. )


                Check the for edu.internet2.middleware.grouper.pspng.FullSyncStarter and when it is scheduled to run.


RE: Large groups

                I wonder if you see 1000 (or less) users in the groups in AD?

                Maybe you did not configure the connection as “AD” ( …. .isActiveDirectory = true ) and/or if you do not have the paging set up properly on the LDAP connection? (ldap.<yourLDAPname>.pagedResultsSize = 1000 )


Hope that helps.


Oh and “Grouper 2.4.0” is a good ball park. However, there are 12 PSPNG patches that really matter too. So you might check which patch level you are using too.

  Start gsh and it will output a line at the top Example: “pspng patches installed:      0, 1, 2, 3, 4,……” ( then enter 5 characters  “ :exit ”  and then press enter to exit gsh )



Carey Matthew


From: <> On Behalf Of Weston, Todd
Sent: Wednesday, February 26, 2020 2:03 PM
Subject: [grouper-users] PSPNG Provisioned groups in AD


I’m new here, so if these have already been covered, please point me in that direction:


  1. Manual modifications - What are the implications of an admin editing a grouper-generated group via ADUC or PowerShell and removing or adding users? I would like to have grouper override these changes and force the group membership back to compliance with the compositing/inclusion methods defined in the Grouper config for the group. I did some testing and it doesn’t appear to work that way “out of the box.”
  2. Large groups – We have a large group ( enrolled.students = 27K users) that doesn’t seem to be provisioning (I’ve only been waiting 1 day, so I might just be impatient). Most other groups have been provisioned in AD and populated. Anywhere to look for failures? The grouper_error.log is churning so fast I wouldn’t even know what to look for…


I’m an old-school Windows guy, so please don’t assume a lot of Linux context is residing in me…

Grouper 2.4.0, MySQL 5.5



QR to scan into contacts

Todd Weston

Information Security Analyst, Identity |

Information Technology Services | Washington State University

Phone 509.335.4479 PO Box 641222 Pullman, WA  99164-1222




Archive powered by MHonArc 2.6.19.

Top of Page