Nested AD groups not supported in SEC 5.5.2 after registry changes

Hi there,


I'm trying to implement RBA within SEC 5.5.2 and assign existing nested AD groups in the roles and sub-estates configuration. According to community.sophos.com/.../122529, after a few registry changes, nested AD should be supported.


However after applying the registry changes, nested AD groups are still not supported in the roles/sub-estates. Does anybody share the same experience?

 

Within the KB article, Scenario 3 is the most applicable in our situation.

 

Thanks.

  • Hi  

    Is it showing you any specific error? Also, have you disabled WMI calls as mentioned in the KB article? 

  • In reply to Shweta:

    Hi Shweta,

     

    Thanks for your response.There are no specific error messages shown, however when I check a specific user's sub-estate assignment under Manage Roles and Sub-Estates | User and Group View, a warning message is shown:

     

    I have tested that the assignment works when I instead assign the group nested inside the group currently assigned.

     

    Yes, I have applied both registry settings as can be seen from the screenshot:

     

    Regards,

    Kevin

  • In reply to LamienS:

    Hi  

    Would you please suggest which scenario relates to your environment and also the group level where you are trying nesting the roles for Sophos Enterprise console?

  • In reply to Jasmin:

    Hi Jasmin,

     

    It's scenario 3, and after looking closer, I think our situation comes closest to RBA <- TDGGr <- TDGGr <- TDUsr (#9), which is not supported...

     

    Any ideas how we can work around this?

     

    Thanks

    Kevin

  • In reply to LamienS:

    Hi  

    Unfortunately, that is not a supported scenario. However, I will check this with my team if we can have any workaround for this in 5.5.2 version. 

  • In reply to Shweta:

    Hi  

    I have discussed this with my team and I am afraid that this is not a supported scenario. You can create a direct link group and add the users to it for sub estate configuration.

  • In reply to Shweta:

    Hi Shweta,

     

    Thanks for investigating this. We already have that as a workaround scenario in mind and will go ahead with implementing it following this confirmation.

     

    Regards,

    Kevin

  • In reply to LamienS:

    Hi  

    You're welcome. Feel free to reach out to us for any further concerns.