What are some suggestions and recommendations for creating ActiveView rules? (NETIQKB6374)

  • 7706374
  • 02-Feb-2007
  • 20-Jun-2007


What are some suggestions and recommendations for creating ActiveView rules?

How do I increase performance of my ActiveViews?

What are some best practices for creating ActiveViews?

Directory and Resource Administrator 6.x

Directory and Resource Administrator 7.x


You can configure your ActiveView rules to optimize performance for your enterprise. The following optimization tips can significantly increase performance when managing domains that contain over 250,000 objects.

TIP #1:  Use Specific Matches

Specific matches let you identify the exact objects to include in an ActiveView. For example, you can create an ActiveView that includes user accounts from a specific OU. If your Active Directory structure allows you to specify objects by OU or domain, define rules that include objects from the specific OU or domain. If you need to specify objects from several OUs, and these OUs are unlikely to change, define a rule for each OU. For example, if you want to create an ActiveView that includes computers from the Sales and Marketing OUs, define a rule for each OU.

All rules that define a specific object, such as an OU, group, user, computer, or contact, can optimize your model. Rules that specify a user principal name or logon name may not optimize your model.

TIP #2:  The Use of Wildcards

If your security model uses a naming convention, wildcards offer tremendous power and flexibility. For example, you can create an ActiveView that excludes user accounts whose names match wildname. When using a naming convention, keep in mind that wildcard matches that look for prefixes, such as ATL*, groups, or pre-Windows 2000 names provide better performance.

For more information about wildcards, please refer to the following Knowledge Base Article:

  • NETIQKB33312: What are some recommendations for the user of wildcards when creating ActiveView rules?

TIP #3:  The Use of Groups

Groups can help you implement a dynamic security model while optimizing performance. For example, if you need to configure an ActiveView that includes many objects from multiple OUs or domains, you can create a group that contains these objects and then create an ActiveView that includes members of this group. In this case, the ActiveView has one rule that acts on one specific object (the group), even though it includes multiple objects (the group members).

If the Active Directory structure and group set are unlikely to change, you can define a rule for each group, specifying the group and its members.

To make your security model dynamic, the ActiveView can be maintained through a wildcard specification that acts on established group naming conventions. For example, if the pre-Windows 2000 names of your groups have a common prefix, you can define a single rule that matches this prefix.

TIP #4:  Reduce Repetitive Delegation

An Assistant Admin should ideally be delegated to an ActiveView once and preferably have all Roles and Powers consolidated into one custom Role.  When an Assistant Admin is delegated to numerous Assistant Admin Groups there is a potential that these groups delegation to ActiveViews can overlap and therefor result in duplicate enumeration.  Let's use for example an Assistant Admin that is delegated to a HelpDesk Assistant Admin Group and a Houston Assistant Admin Group.  Both of these groups are then delegated to an ActiveView to manage the same objects, but with different or overlapping Powers/Roles.  DRA will enumerate the managed objects for this ActiveView TWICE, once for each Assistant Admin Group delegation.  This is the type of repetitive delegation that should be minimized as it is needless enumeration of the same objects and can effect performance.

Additional Information

Formerly known as NETIQKB6374