Internal groups couldn't be fully managed.

You have to delete the group from the rules it is used in, then you can delete the group. Think that is what you are trying to achieve?

Ian

Thank you for suggestion, but these groups have not been used anywhere anymore. The deletion attempt gives an error message: Group could not be deleted. User exists in the Group

Seems like the user is already in some kind of configuration.

Every user gets a group as primary group in XG. So check the group name of the user and check, whether you use this group already in the modules (like WAF, SSL VPN etc.) 

Hi ManBearPig,

Seems like I did'nt clear explained the problem, that is my bad. So the root cause of the issue that I can't exclude users which I have added  into my custom group that I created earlier by myself. There is no such option or particular button like in the section for managing L2TP users.

Hi ManBearPig,

Seems like I did'nt clear explained the problem, that is my bad. So the root cause of the issue that I can't exclude users which I have added  into my custom group that I created earlier by myself. There is no such option or particular button like in the section for managing L2TP users.

I understand, you have a self created group with couple of user in it and want to remove certain users - correct? 

Do you use this group already anywhere? Web Proxy, SSL VPN, L2TP, IPsec, WAF, Anywhere? 

manbearpig said:

I understand, you have a self created group with couple of user in it and want to remove certain users - correct? 

 Do you use this group already anywhere? Web Proxy, SSL VPN, L2TP, IPsec, WAF, Anywhere? 

 

Can you post some screenshots of your config? 

Or dig deeper in the logs while trying to delete the group.

applog.log should be fine for this. 

I found a solution... But I wouldn't say it is an expected way of managing users and groups. I realized that by Sophos ideology the user can participate just in one of the groups (and this killed me swiftly). So I added participants to the other group and that emptied my custom group and allowed me to delete the group. But I am still wondering why developers have chosen so an extraordinary way instead of creating "delete user" button with moving user to a default "Open group"?!

This KBA take care about the Group Membership of XG.

https://community.sophos.com/kb/en-us/123161

In my case I use RADIUS as auth source because of another IPSEC/L2TP VPN limitation. And for proper user groups management I have to add AD to auth source as well. Oh my.. Sophos devs make control shoot into already dead customers after knee self shooting.