Managed Unit not showing nested group members

Hi,

We have created Managed Unit with membership rule ' Include Group Members'  and used it to apply policy. It seems like it is applying policy to Users who are direct members of the group but not to Users who are members of the nested groups. So basically it seems like it does not iterate thru the nested groups to add users to the Managed Unit. 

Thanks

Regards,

Faruq Gilani

Top Replies

  •   

    The "Include group members" membership rule only returned the objects that are a direct member of the group, this does not include indirect membership (IE group A is nest in group B)…

Parents
  •   

    The "Include group members" membership rule only returned the objects that are a direct member of the group, this does not include indirect membership (IE group A is nest in group B)

    There are methods you can do this using an "Include by Query" membership rule. But note this type of query is or can be expensive (and slow).

    IE:

    (&(objectCategory=person)(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=<DN of the parent group>))

    This LDAP request will return AD users object, which are either direct or indirect members of the <DN of the parent group> provided in the query.

    Also when applying Administration Policies or Access Templates against a managed unit, it will only apply to the object directly contained within the managed unit, NOT to members of a group inside the managed unit.

    I would not recommend applying PO's or AT's to a managed unit using the above query, it will make the processing of the permissions or policy checks slower.

    If you can explain the use case you have, we might be able to provide a better solution for the problem.

Reply
  •   

    The "Include group members" membership rule only returned the objects that are a direct member of the group, this does not include indirect membership (IE group A is nest in group B)

    There are methods you can do this using an "Include by Query" membership rule. But note this type of query is or can be expensive (and slow).

    IE:

    (&(objectCategory=person)(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=<DN of the parent group>))

    This LDAP request will return AD users object, which are either direct or indirect members of the <DN of the parent group> provided in the query.

    Also when applying Administration Policies or Access Templates against a managed unit, it will only apply to the object directly contained within the managed unit, NOT to members of a group inside the managed unit.

    I would not recommend applying PO's or AT's to a managed unit using the above query, it will make the processing of the permissions or policy checks slower.

    If you can explain the use case you have, we might be able to provide a better solution for the problem.

Children
No Data