Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 16892 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Why do Domain-Users fall into Open Group?

oxident

Hi!

I have STAS running and it works quite well for my "Domain-Admin" user. But now I've created a new AD user who belongs to the group "Domain-Users". Unfortunately, this user always gets mapped to "Open Group" instead of the correct group ("Domain-Users").

STAS shows that this particular user is logged in using "Logon Type 2" and XG's log writes that the "user XYZ of group Open Group successfully logged in successfully to Firewall through AD authentication".

If I manually add this user to the correct group everything's fine until the user logs out.

Is there anything I'm missing?



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    Greetings.

    By default, users in Active Directory are all part of the Security Group 'Domain Users'. This global security group is automatically set as the primary group in the Member Of settings for the user. The 'memberof' attribute of the user object is not populated with the group name. Because the XG does not query Active Directory for the PrimaryGroupID attribute, and only for the Members attribute of the group, users cannot be prefetched.

    To resolve this issue, create another global Security Group, such as 'XG Domain Users', and add all users from 'Domain Users'.

    Hope that helps.

    Thanks

  • 0 in reply to sachingurung

    Thanks for your reply.

    Now I've created a new group within my XG called "My users" and added all of my domain users to this group which seemed to work at first sight.

    But as soon as one of my users finishes the regular Windows domain logon, that particular user still falls back to "Open Group".

    Another strange this that another user is part of two different security groups in my AD: Domain Users and Domain Admins, where Domain Admins is his primary group. XG always adds him to the "Domain Users" group and if I'll manually change this to "Domain Admins", it gets reverted as soon as he logs in or I click on "Purge AD users" within XG.

    Are you sure XG won't query AD for group membership?

Reply
  • 0 in reply to sachingurung

    Thanks for your reply.

    Now I've created a new group within my XG called "My users" and added all of my domain users to this group which seemed to work at first sight.

    But as soon as one of my users finishes the regular Windows domain logon, that particular user still falls back to "Open Group".

    Another strange this that another user is part of two different security groups in my AD: Domain Users and Domain Admins, where Domain Admins is his primary group. XG always adds him to the "Domain Users" group and if I'll manually change this to "Domain Admins", it gets reverted as soon as he logs in or I click on "Purge AD users" within XG.

    Are you sure XG won't query AD for group membership?

Children
  • 0 in reply to oxident

    Hi,

    Group information are forwarded from AD to STAS agent, Agent pass on username, user IP, user group information to Collector. Sophos firewall sends a user map request (Full update/Incremental update) on UDP port 6677 to Collector and sync it's user map with Collector.  The reason why User(s) are falling into the Open group is due to some configuration mismatch in AD. Again, by default Primary group information will not be forwarded from AD.

    Thanks 

  • 0 in reply to sachingurung

    Thanks for clarification. I've double checked all those information and after all, the problem had something to do with special characters in the group name.

    I've now created a group with any "umlauts" (äöüß), imported it within XG and everything works flawlessly.

    Anyway, thanks for all of your hints!