using ntdsutil.exe to resolve AD aggegration exceptions

The Access Governance Suite aggregation operation features several hooksfor running rules to process and to format the info into an identity-friendly resource object. As a side effect, each per-account processing takes some time and so the time per page grows directly with the number of accounts to aggregate. Under some conditions, the time to process a page of accounts exceeds the AD server's timeout settings. This results in a timeout exception when fetching the next page of accounts from the AD server.

To fix this scenario, either

1) rework the rules to shorten the processing;

2) redefine Access Governance Suite's application settings to fetch fewer accounts in a single page;

3) redefine IIQ's application settings to fetch the entire account list in a the initial page;

4) re-cfg the AD server to allow sufficient time to process a page of accounts.

While the Access Governance Suite UI provides fields to accomplish the first 3 options, yet the final option requires an AD admin tool.  The "ntdsutil.exe" tool displays the AD policy settings.  For example, this MS-Support link detail the tool/policy:
 
http://support.microsoft.com/kb/315071
 
MaxConnIdleTime - The maximum time in seconds that the client can be idle before the LDAP server closes the connection.  If a connection is idle for more than this time, the LDAP server returns an LDAP disconnect notification.

Default value: 900 seconds