https://live.paloaltonetworks.com/t5/panorama-discussions/master-user-id-device-receives-non-functioning-configuration-for/m-p/482818#M858 <P>I have a User-Id configuration that has been working successfully for 6 months.&nbsp; I went to add a new group to the group include list, and the syntax that was written from Panorama had JUST the group name in this form :domain\group_name.&nbsp; The working groups as listed by running the '<SPAN>show config merged | match group-include-list' all have a syntax similar to this: [cn=group_name, ou=users and groups, ou=yyy, dc=my_domain, dc=com] etc etc . the FW does not recognize the new group, and cannot retrieve any of the users, so it is non-functional.&nbsp; the previously working groups still work.</SPAN></P> <P>&nbsp;</P> <P><SPAN> FYI: the groups show up correctly when I browse the dialog in Panorama - but none of them, even the working ones, display the cn-ou-dc parameters.</SPAN></P> <P><SPAN>Panorama 9.1.12-h3</SPAN></P> <P><SPAN>Pa-VM100 9.1.0-h3</SPAN></P> Tue, 26 Apr 2022 22:10:50 GMT ClaytonHuml 2022-04-26T22:10:50Z https://live.paloaltonetworks.com/t5/panorama-discussions/master-user-id-device-receives-non-functioning-configuration-for/m-p/482818#M858 <P>I have a User-Id configuration that has been working successfully for 6 months.&nbsp; I went to add a new group to the group include list, and the syntax that was written from Panorama had JUST the group name in this form :domain\group_name.&nbsp; The working groups as listed by running the '<SPAN>show config merged | match group-include-list' all have a syntax similar to this: [cn=group_name, ou=users and groups, ou=yyy, dc=my_domain, dc=com] etc etc . the FW does not recognize the new group, and cannot retrieve any of the users, so it is non-functional.&nbsp; the previously working groups still work.</SPAN></P> <P>&nbsp;</P> <P><SPAN> FYI: the groups show up correctly when I browse the dialog in Panorama - but none of them, even the working ones, display the cn-ou-dc parameters.</SPAN></P> <P><SPAN>Panorama 9.1.12-h3</SPAN></P> <P><SPAN>Pa-VM100 9.1.0-h3</SPAN></P> Tue, 26 Apr 2022 22:10:50 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/master-user-id-device-receives-non-functioning-configuration-for/m-p/482818#M858 ClaytonHuml 2022-04-26T22:10:50Z https://live.paloaltonetworks.com/t5/panorama-discussions/master-user-id-device-receives-non-functioning-configuration-for/m-p/482937#M859 <P>Thank you for the post&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/144784">@ClaytonHuml</a></P> <P>&nbsp;</P> <P>if you want to add a new AD group into include list from Panorama, you have to configure AD group with whole LDAP string. Here is corresponding KB:&nbsp;<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIOCA0" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIOCA0</A></P> <P>After this is pushed to managed Firewall, you will see AD group in this format:&nbsp;domain\group_name on Firewall side.</P> <P>&nbsp;</P> <P>Kind Regards</P> <P>Pavel</P> <P>&nbsp;</P> Tue, 26 Apr 2022 22:32:16 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/master-user-id-device-receives-non-functioning-configuration-for/m-p/482937#M859 PavelK 2022-04-26T22:32:16Z