nss.group.skip.members

This configuration parameter allows you to skip the retrieval of group membership information for specific groups. Retrieving group membership information from Active Directory can be a very time-consuming and memory-intensive operation for groups with a large number of users, or when using nested groups, but in many cases this information is not needed to perform common UNIX operations. Using this configuration parameter to skip the retrieval of group membership information for specific groups can greatly improve performance for groups with a large number of members.

The parameter value should be a comma-separated list of the UNIX commands for which you can skip group member expansion in the getgrent() call.

The default setting for this configuration parameter is the following for most systems:

ls,chown,find,ps,chgrp,dtaction,dtwm,pt_chmod,id,login,sshd,sshd2,getty,dtlogin,su,adsetgrps,adid

For AIX system, the default is the following:

nss.group.skip.members=ls,chown,find,ps,chgrp,dtaction,dtwm,pt_chmod,id, login,sshd,sshd2,getty,dtlogin,su,adsetgrps,adid

Setting this parameter does not affect the information returned when the nscd or pwgrd daemon is running on a system. The nscd or pwgrd daemons provide a cache for faster user and group lookups, but when the response comes from this cache, the agent cannot modify the response to skip the members listed with this parameter.