cancel
Showing results for 
Search instead for 
Did you mean: 
prajoshgeorge
Level 10

Not retrieving all AD groups

Jump to solution

Hi all,

While making a rule to check if the user is a member of a specific AD group, I noticed that when retrieveing the ad groups of the AD user using Authentication.UserGroups property, it doesnt show all the groups that are shown when viewing AD "Member Of" tab of the user in AD users and computers.  When I perform the Authentication Test in the Settings> Authentication> AD Authentication, not all of the groups the AD user is a member of is shown. Any idea why this is the case?

Thanks

0 Kudos
1 Solution

Accepted Solutions
prajoshgeorge
Level 10

Re: Not retrieving all AD groups

Jump to solution

Web Reporter was able to retrieve the distribution groups using LDAP parameters... so I guess it should work for Web Gateway too.

Yup, i found Authentication.GetUserGroups<authentication> and used LDAP authentication to get the distribution groups also.  Thanks for the help

So I am now authenticating using NTLM and when it comes to checking if the user is a member of a distribution group i use the above function. In the LDAP configuration, I have selected memberOf as the attribute to retrieve.

I hope I am implementing this in the right way and does not cause any erratic behaviour when retrieving the groups.

Message was edited by: prajoshgeorge on 9/17/13 8:30:15 PM AST
0 Kudos
15 Replies
vidrine
Level 9

Re: Not retrieving all AD groups

Jump to solution

How many groups are shown assigned to the user within AD?  Though, I doubt you should run into a paging issue for MemberOf values.

And do you have a search base specified for what groups you're looking for?  Or are you simply trying to return every group a user has?

0 Kudos
McAfee Employee

Re: Not retrieving all AD groups

Jump to solution

Check the box for get local groups in teh settings for "AD Authentication".

Best,

Jon

0 Kudos
prajoshgeorge
Level 10

Re: Not retrieving all AD groups

Jump to solution

I have selected both local and global.

For example, in my case, I am a member of 22 groups, but MWG shows only 12 in the Authentication test, even rule tracing shows the same 12 groups.

If it helps, out of the 12, one group I am not directly a member, but the group I belong to is a member so that shows up as me being a member which is ok.

The rule I am trying to create is checking if the user is a member of a group X, but it doesnt show the group in MWG even though it is there in AD

0 Kudos
vidrine
Level 9

Re: Not retrieving all AD groups

Jump to solution

Haven't tested the use of recursive/nested group membership, yet.    

0 Kudos
prajoshgeorge
Level 10

Re: Not retrieving all AD groups

Jump to solution

Of course , the user is a direct member of the group I am trying to check. I tried the authentication test for 3-4 users, it happens to all of them.

0 Kudos
McAfee Employee

Re: Not retrieving all AD groups

Jump to solution

Did you recently add them to these groups? The authentication cache could play a factor if you set it to a really high value.

Best,

Jon

0 Kudos
prajoshgeorge
Level 10

Re: Not retrieving all AD groups

Jump to solution

No, they were present in the group for more than 2-3 years, i recently migrated to 7.3.2.2 from 6.9.4. Same for my case.Initally "Get global groups" was only ticked, 6 hours back I enabled "get local groups" also. 15 mins back I tried the authentication test and yet it doesnt show all the groups. Only the same groups I saw earlier.

0 Kudos
vidrine
Level 9

Re: Not retrieving all AD groups

Jump to solution

Just tested the recursive/nested group support - for science.  And it's pulling all my user's memberOf information into the Authenticated.UserGroups property.

0 Kudos
prajoshgeorge
Level 10

Re: Not retrieving all AD groups

Jump to solution

How many groups is the user a member of? I tried AD users with 2 -3 groups and it retrieves them.

Message was edited by: prajoshgeorge on 05/09/13 13:37:23 CDT
0 Kudos