Apr 20, 2017

    Adding and Syncing large numbers of AD groups

    Thomas Cook

      As use on our server grows we are getting more and more requests to add AD groups to the server. I wrote a script that compared the groups in AD to the groups on the server and adds any new ones. I did some testing with 1000 groups. It took about 50 minutes to add (a one time cost) them but only 17 minutes to sync them all. The problem is that would mean it would take about 8.5 hours to sync all 30,000 groups in our AD. Doesn't seem like a good use of the backgrounders.


      I came up with a few paths:

      1. add all the groups, but only sync them on the weekend.
      2. have some sort of naming convention the script can filter on. Any group with a name starting with 'tab-' would get added automatically, but users would still need to request other groups.
      3. use a google sheet that everyone can write to. Any group in the list will get added by the script.


      How are others handling this?