This configuration parameter specifies whether adclient iterates through users to look for private groups when searching for groups.

The adclient process may receive periodic requests from processes such as adnisd for all zone-enabled users and groups. adclient queries Active Directory for those users and groups. By default, adclient queries only for group objects when searching for groups. When dynamic private groups are turned on (using the configuration parameter ), it creates private groups with a single user where the primary GID of the private group is set to the user’s UID. When dynamic private groups are present, adclient must search through user objects as well as group objects when looking for groups.

This parameter’s value must be either true or false. When true, adclient iterates through user objects in Active Directory when searching for groups. When false, adclient does not iterate through user objects when searching for groups.

Note that iterating through users isn’t noticeably slower than iterating only through groups until the numbers of users get into tens or hundreds of thousands. In these numbers, iteration may take more time.

If this parameter is not defined in the configuration file, its default value is initially false. Once adclient encounters a private group, it sets this parameter’s value to true for the rest of adclient’s process lifetime or until a user sets this parameter in the configuration file.