There is a lack of documentation for the BigFix setting: ActiveDirectory UserRefresh Seconds

The client setting BESClient_Inspector_ActiveDirectory_UserRefresh_Seconds was introduced in client version 8.1.535 according to the release notes, but the release notes have a typo and leave off the last s.

The documentation and release notes reference the default interval being 12 hours, but I have also seen references to the default value being shorter.

Related: https://gist.github.com/jgstew/51a99ab4b5997efa0318

The 12 hours refers to the refreshing of the Computer information only, not the user information. By default the client will request the information for the user on login and never again until the user logs in again (which matches the actual OS behaviour)

_BESClient_Inspector_ActiveDirectory_UserRefresh_Seconds

Type: Numeric 
Version: 8.1 
Platform: All 
MinNumeric: 1200 (20 mins) 
MaxNumeric: maxunit32 
Default: maxuint32 
Requires Client Restart: NO 
Description: A setting used to control how long active directory inspector will take before attempting to refresh and re-request the data from AD for user information. Setting to maxuint32 disables refresh after login.
1 Like

Thanks for the clarification.

I saw the 20 min and wasn’t sure if that was the default, or the 12 hour value was the default that I’ve seen mentioned, or if it was once per login (basically never refresh, except when a user logs in)

If I set the refresh to once every 4 days or something like that, will the refresh still always happen when a new user logs in? Or when an existing user logs out and then logs in? Or would it always wait the 4 days?

Refresh will always happen on login no matter what. The setting will determine when (if at all) the update will occur.

The issue here is user groups and data are often large. So be careful that all your endpoints don’t hit the AD servers at similar times or its pretty easy to ask for a lot of data over tens or hundreds of thousands of endpoints.

1 Like