000035785 - How to Synchronize Nested AD Group Users from an RSA SecurID Access Identity Source

Document created by RSA Customer Support Employee on Nov 29, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000035785
Applies ToRSA Product Type:  SecurID Access
IssueWhen attempting to synchronize nested Active Directory Identity Source group members by specifying a User Search Filter that defines the parent group the nested users are not synchronized.
For example, say the search filter is:

(&(objectCategory=Person)(sAMAccountName=*)(objectClass=user)(mail=*)(memberOf=CN=ParentGroup,CN=Users,DC=example,DC=com))

and ParentGroup contains a nested group.  The users in the nested group will not be synchronized.
ResolutionMicrosoft-specific filter syntax can be used to synchronize the members of ParentGroup and any nested group members.  Precede the =CN=ParentGroup with the Microsoft LDAP-specific syntax :1.2.840.113556.1.4.1941: as shown in below user search filter example:
 

(&(objectCategory=Person)(sAMAccountName=*)(objectClass=user)(mail=*)(memberOf:1.2.840.113556.1.4.1941:=CN=ParentGroup,CN=Users,DC=example,DC=com))

 
NotesReference Active Directory:  LDAP Syntax Filters.

Attachments

    Outcomes