Improve performance in large Active Directory structures by changing search filters 

  • 16 February 2021
  • 0 replies
  • 1 view

Userlevel 4
Badge +16


Improve performance in large Active Directory structures by changing search filters 


This article has been archived, and/or refers to legacy products, components or features. The content in this article is offered "as is" and will no longer be updated. Archived content is provided for reference purposes only. This content does not infer that the product, component or feature is supported, or that the product, component or feature will continue to function as described herein.


Starting with the K2 blackpearl 4.7 May 2017 Cumulative Update, you can improve the performance of large Active Directory structures by modifying the filters used between Active Directory and K2. Use the steps below to change these filters in the HostServer.SecurityLabel table and on the AD Service 2 service instance.

Changing this configuration changes the results returned when searching for users. It changes the filter from a Contains to a StartsWith, meaning that string matches only return users who's name begins with the characters you enter. 




Step 1: Modify your RoleInit settings

Stop the K2 service first before you update the value in the SecurityLabel table. Once you have updated the values, you must restart your K2 service for the changes to take effect.

Add UseEndsWithLoadSearchProperties, and AllowUPNInSamAccName role provider initialization settings to the [HostServer].[SecurityLabel] table located in the K2 database. When these settings are not defined, they default to:

  • UseEndsWith = True

  • LoadSearchProperties = True

  • AllowUPNInSamAccName = False


Update these properties to the following values:

  • UseEndsWith = False

  • LoadSearchProperties = True

  • AllowUPNInSamAccName = False

Editing the K2 database can have serious, unexpected consequences that can cause system instability or break K2 components. You should not edit the K2 database unless you are familiar with the procedure and tools to do so, and K2 strongly recommends backing up your K2 database before making any changes. Making unauthorized changes to your K2 database may put your K2 environment into an unsupported state.

  1. Open your [HostServer].[SecurityLabel] table and look for your K2 security label's roleprovider > init node. Add the settings as shown in the following example:

      <init>ADCache=0;LDAPPath=LDAP://DC=DENALLIX,DC=COM;  UseEndsWith=False;LoadSearchProperties=True;AllowUPNInSamAccName=False;   ResolveNestedGroups=False;IgnoreForeignPrincipals=False;IgnoreUserGroups=False; MultiDomain=False;OnlyUseSecurityGroups=False;LogLevel=Error;LogSize=0; DataSources=&lt;DataSources&gt;&lt;DataSource Path="LDAP://DC=DENALLIX,DC=COM" NetBiosName="DENALLIX" /&gt;&lt;/DataSources&gt;;;</init>

  2. Save the changes and restart your K2 service.

Step 2: Modify your AD Service 2 settings


  1. Open K2 Management > Integration > Service Instances and select Active Directory Service2

  2. Click Edit to modify the service keys

  3. Set UseEndsWith to False

  4. Set LoadSearchProperties to True

  5. Click the Refresh Service Instance button to activate these changes


0 replies

Be the first to reply!