Start/notes.ini Parameters/DEBUG_DIRSYNC_DISABLE_AD_MEMBERS_IN_SECURITY_GROUPS

DEBUG_DIRSYNC_DISABLE_AD_MEMBERS_IN_SECURITY_GROUPS

🛠️
Parameter: DEBUG_DIRSYNC_DISABLE_AD_MEMBERS_IN_SECURITY_GROUPS
Short description: Excludes AD-only members from security groups during directory sync – only registered Domino users are synchronized (new in 14.5.1).

Profile

Parameter
DEBUG_DIRSYNC_DISABLE_AD_MEMBERS_IN_SECURITY_GROUPS
Category
Security / TLS
Component
Server
Available since
14.5.1
Supported versions
14.5.1
GUI equivalent
notes.ini only (no GUI)
Possible values
0 = sync AD users along (default), 1 = skip AD users in security groups

Description

Directory Sync (dirsync) brings Active Directory groups including their members into the Domino Directory. If an AD group contains both registered Domino users and AD-only accounts, the non-registered accounts are also added as members in the Domino group document via the sync.
With =1 (new in 14.5.1), only members that also exist in the Domino Directory are included for security groups – AD-only entries are skipped.

Example configuration

DEBUG_DIRSYNC_DISABLE_AD_MEMBERS_IN_SECURITY_GROUPS=1

Notes & pitfalls

  • Only effective from Domino 14.5.1.
  • Affects only the synchronization of security groups – distribution lists remain unaffected.
  • With the flag enabled, ACLs/distribution lists may shrink – verify in advance that all required persons are registered Domino users.
  • Complements DEBUG_DIRSYNC (detailed log) for verification.
  • The change takes effect on the next dirsync run or after tell dirsync run.