[IAG] Domain user security groups are nested and cannot be associated with policies
Problem Description
The domain security group associated with the Internet access policy has security groups nested under it. Users in the nested security group do not match the policy.
Effective troubleshooting steps
-
Check whether the domain server has "Support security group nesting" checked
-
It was found that only part of the groups were selected for the synchronized BaseDN. After trying to select the entire domain controller, the policy matching was normal.
-
The problem was found to be that the synchronized BaseDN was not complete, and the corresponding OU of the nested security group was not synchronized, resulting in the exception.
solution
The synchronized BaseDN must include all nested security groups and corresponding user OUs.
Original Link
https://support.sangfor.com.cn/cases/list?product_id=22&type=1&category_id=9448&isOpen=true