0 votes

I have 18 domains managed by Adaxes and have noticed that Admin (full access) t all objects acts normally, but for piecemeal scopes like Service Desk that scopes to individual OUs and groups with a few implicit denies as well are very slow to load and things like the "add to group" can take a minute or more to display.

Would it be better to put those scopes into a business unit and use the business unit in the security role "assigned over"?

I have 42 assignments for that security role (including 16 denies) and expect it to grow as we add more domains.

by (40 points)
0

Hello,

First of all, if you want a user to have unrestricted permissions in Adaxes, there is no need to use security roles. You can add the user to the service administrators list: https://www.adaxes.com/help/AddRemoveServiceAdministrators.

Using a business unit will not work better. Also, it does not allow you using OUs as subtree, which means that you will need to add all objects (user, groups, subOUs, etc.) to the unit explicitly.

Such slowness can be observed when you have lots of security roles (100+) and lots of assignments (200+) in a role. In your case, the slowness does not seem to be related to user permissions. To help us troubleshoot the issue, please, provide the following details:

  1. What operations are performed slow? What about logging in to the Web interface?
  2. Are the operations also slow in the Administration console?
  3. Did you try to sign in with the credentials of the Adaxes service account (specified during Adaxes installation)? Is it also slow when performing operations as this account?
  4. On how many computers is the Web interface installed? On how many computers is Adaxes service installed? Are the Web interfaces and Adaxes services installed on the same computer(s)?
  5. Do you have at least 1 DC for each managed domain in the same AD site as Adaxes?
0
  1. The slowness is mainly on the home page where we have many reports pulling from all the managed domains. As well as when viewing a user object, the memberOf section will not show the "More" button when selecting a group. Sometimes it can take 2 minutes before you are able to use the "More" button to add others to a group or export the group list.
  2. The only users of the Admin console are the admins with full access, and no slowness is seen.
  3. when signing in with any of the admin accounts, there is no slowness.
  4. I have 2 servers running both the web interface as well as the service.
  5. I do not have a DC for each domain in the same site, there are 2 or 3 domains that are cloud only and are reached open site-to-site VPN tunnels.

1 Answer

0 votes
by (228k points)

Hello,

Thank you for the provided details. It looks like the issue is about the security roles configuration. It is recommended to decrease the number of roles and assignments as much as possible. Also, it is recommended not to have a lot of group membership nesting levels. That is something that can significantly influence performance and there is no workaround.

Also, if you are not using the latest version of Adaxes, it is recommended to upgrade. For information on how to check your current version and whether your license can be used with the latest one, see https://www.adaxes.com/help/CheckUpdates.

Related questions

0 votes
0 answers

I am trying to find a way to create Groups based off an OU and a list of options (check boxes) within the portal For example: Select the Target OU to add groups ... 3 - Remote Administrators Option 3 - Remote Developers Option 4 - Readers Option 4 - Writers

asked Sep 11, 2020 by dknapp (100 points)
0 votes
1 answer

Hi Everyone I want to create a custom command where I can select multiple users and then select a mailbox and give them full access to the mailbox. Is there a way to do it? Thank you for help

asked Nov 2, 2021 by Sandberg94 (320 points)
0 votes
1 answer

I would like users to use Adaxes to add themselves or others to a group, but instead of it just working, it has to go thru an approval process and be approved by the group owner before they are added. Thanks!

asked Jun 30, 2021 by RayBilyk (220 points)
0 votes
1 answer

We are using the SeeAlso attribute to store who is responsible for specific accounts. We do not wish to use the Manager field, because the Manager/Direct Report structure is ... to, for example, extende the expiration date of an account. Is that possible?

asked Jan 28, 2020 by manuel.galli (100 points)
0 votes
1 answer

I'm trying to schedule a report to look in a few specific OUs. Currently "Look in" location only allows for single instance or multiple drop downs. How do I schedule multiple OU locations without creating multiple reports?

asked Jul 2, 2020 by Al (20 points)
2,807 questions
2,541 answers
6,615 comments
65,243 users