Sophos UTM: Decommissioning of obsolete URL categorization services CFFS. Click here for important info.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AD Authentication, Nested / Staggered Groups not working

Can Sophos confirm please that SFOS 19.0.1 is still not able to detect staggered group membership of a Active Directory? Because that is what I noticed yesterday.

I tried to use a top level group that contains sub-groups for Firewall rules. If the user is member of a sub-group, SFOS does not see it's group membership.

Group A
   +----SubGroup B
   +----SubGroup C
   +----SubGroup D

Subgroup B Members:
User 1
User 2

Subgroup C Members:
User 3
User 4

Subgroup D Members:
User 5
User 6


I imported AD Group A into SFOS.

Users 1-6 restarted their Windows computers with Intercept-X and tried to use the Firewall rule but the traffic was blocked.

I checked the users in SFOS and their group membership from firewall perspective.

Group    and
Other group memberships

do not list Group A.

If I import Subgroup B into SFOS, User 1 and User 2 show Subgroup B in Other group memberships and the users can use the firewall rule.

So unfortunately, it is very likely SFOS is still unable to read staggerd group memberships after all those years.

See posts by  and   here:

 Firewall rules by AD group membership does not work. 

 User Authentication - AD Group in Group 

And the Help:

Group membership behavior with Active Directory

But that does not list limitations about staggering / nesting.

This thread was automatically locked due to age.