AD Group Membership

Question

I have the proxy running with the authentication method set to SSO.  For the most part, everthing works as expected.

I am having issues where I create a "New Group" in the UTM9 box, assign one or more AD users to the group then use this newly created group in my "Filter Assignments".  The users that are assigned to this group are not being assigned to the proper filter profile.  For some it works fine, but not all.

If I add these AD users directly to the FilterAssignment they are being assigned to the correct filter profile.

Also, if I take a AD user account that I am having issues with and use that to test the adirectory authentication server, it is not showing that he belongs to the UTM9 group in question, even though it does show the other two he would be a member of. I can see his name listed clearly in the group as being there.  I have tried deleting the group and recreating it, but the same thing happens.

Any ideas as to what to check next?

This thread was automatically locked due to age.

Tim S · Answer

Sorry to Necro this thread but it came up when I was looking for the same thing. I have definitely seen the resolution below to this issue in other threads. 
 Dragging the full CN from the finder to create a backend group does not work (pretty sure this is still a bug 5 years later). Instead you need to use the straight CN for the group, in quotes when you assign targets to the policy. 
 For example, I have a global security group nested under other AD OUs, and use the simple CN with quotes "CN=Internet Access Group" - when inserting a group into the filter (create a new group). AD will only let you define a single CN of the same name anyway. Works with the UTM's web filter. But it doesn't create a group in "Users & Groups" as you would expect it to... it simply maps correctly. 
 This article is related but overly complicated to my mind: https://community.sophos.com/kb/en-us/120658 
 ...although it probably describes the issue in full.