Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] PSPNG Provisioned groups in AD

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] PSPNG Provisioned groups in AD

Chronological Thread 
  • From: Jeffrey Williams <>
  • To: "Weston, Todd" <>
  • Cc: "" <>
  • Subject: Re: [grouper-users] PSPNG Provisioned groups in AD
  • Date: Wed, 26 Feb 2020 14:31:20 -0500

On Wed, Feb 26, 2020 at 2:03 PM Weston, Todd <> wrote:

I’m new here, so if these have already been covered, please point me in that direction:


  1. Manual modifications - What are the implications of an admin editing a grouper-generated group via ADUC or PowerShell and removing or adding users? I would like to have grouper override these changes and force the group membership back to compliance with the compositing/inclusion methods defined in the Grouper config for the group. I did some testing and it doesn’t appear to work that way “out of the box.”
During the next full-sync, Grouper should set the membership back to what it knows the membership to be.  Additionally, any non-identifying attributes, attributes not used in the singleGroupSearchFilter but defined in the template(e.g. Description, displayName, etc) should also be corrected as well.  Those sort of changes won't happen with incrementals, however.
  1. Large groups – We have a large group ( enrolled.students = 27K users) that doesn’t seem to be provisioning (I’ve only been waiting 1 day, so I might just be impatient). Most other groups have been provisioned in AD and populated. Anywhere to look for failures? The grouper_error.log is churning so fast I wouldn’t even know what to look for…
grouper_error.log is the correct file to look at.  You can search in the log file for that group name and look around for ERROR entries.  AD's 1000 record LDAP query limit can impact how fast that gets loaded, so 27k may take a short while for one daemon, but I think anything more than an hour would be cause for concern for an AD and Grouper environment that are sized for enterprise usage.

If you want to post a sanitized version of your that's relevant to where you're trying to provision to, that might be helpsul.


I’m an old-school Windows guy, so please don’t assume a lot of Linux context is residing in me…


Grouper 2.4.0, MySQL 5.5



QR to scan into contacts

Todd Weston

Information Security Analyst, Identity |

Information Technology Services | Washington State University

Phone 509.335.4479 PO Box 641222 Pullman, WA  99164-1222




Jeffrey Williams 
Identity Engineer
Identity & Access Services

Archive powered by MHonArc 2.6.19.

Top of Page