Configuring the Active Directory User Manager
 |
All values below are by default disabled; default cache timeout is set to 10 minutes. |
The Settings node implements features that may impact performance from caching users to excluding certain operations. These options are discussed in greater detail in the relevant topics. The following features provide performance enhancements for the AD user manager.
User Manager Settings
- Click on the Settings option.
- The following K2 Settings screen will open:
Fig. 1. K2 User Manager Settings
When a query is passed to the AD user manager, it will return all results in the query unless the number of users is limited or one of the other settings affects the number of users returned. Limiting the number of users and groups returned will enhance performance by ensuring that a manageable number of items are returned.
|
There is a Settings node directly under User Managers node that is used to limit the number of items returned from any registered user manager. The default for this is 100. |
 |
Keep in mind that when granting rights to all users in the domain, it is more efficient to use the built-in Domain Users group rather than an AD group that may contain all domain users. |
Service Instance Properties
The number of users are limited by configuring the Service Instance Properties.
| Settings | Description |
|---|---|
|
Cache Timeout |
When a user’s credentials are used for the first time, they are cached. If the user credentials are required again within the timeout period, the cached credentials will be supplied. If the timeout period has expired, the system will interrogate the AD user manager to return user authentication. The timeout interval is specified in whole minutes only. |
|
Resolve Nested Groups |
Groups within AD user manager may contain sub or nested groups within a group. The users within these nested groups will be resolved when this option is enabled. |
|
Ignore Foreign Principals |
This setting will either allow (if False) or deny (if True) membership principals from foreign domains resolving on K2 Server. Also referred to as Cross-Domain or Cross-Forest membership. ForeignSecurityPrincipals allows users from a different domain (i.e. DOMAIN-B) to become members of groups on another domain (i.e. DOMAIN-A). If a group contains a foreign principal, and this setting is False, the user will be resolved against K2. If the setting is set to True, the user/group will not be resolved. |
|
Ignore User Groups |
This option enables the Administrator to exclude user groups from being resolved and only the user accounts will be resolved as part of the current domains. |
Additional Information
For further information on the Active Directory User Manager, see the following resource:
- How to register labels against multiple domains: http://help.k2.com/en/KB000182.aspx
