https://live.paloaltonetworks.com/t5/general-topics/map-users-into-groups-in-a-multi-forest-ad-design/m-p/532508#M109776 <P>Hello Community!</P> <P>&nbsp;</P> <P>I´m trying to find a solution for the following problem:</P> <P>&nbsp;</P> <P>I have two different forests created in the same Active Directory:</P> <P>Forest_1:<BR />subdomain_1.domain_1.com</P> <P>&nbsp;</P> <P>Forest_2:<BR />subdomain_2.domain_2.com</P> <P>&nbsp;</P> <P>There is a trust between the two forests</P> <P>&nbsp;</P> <P>I have also the universal group_X in subdomain_1: subdomain_1\group_X</P> <P>&nbsp;</P> <P>I added the User_Bob belonging to subdomain_2.domain_2.com into group_X</P> <P>&nbsp;</P> <P>Is there any way to make the firewall map the User_Bob into group_X?</P> <P>&nbsp;</P> <P>I tried several configurations but is not retrieving the mapping.</P> <P>&nbsp;</P> <P>cheers.</P> Tue, 28 Feb 2023 18:29:29 GMT Carracido 2023-02-28T18:29:29Z https://live.paloaltonetworks.com/t5/general-topics/map-users-into-groups-in-a-multi-forest-ad-design/m-p/532508#M109776 <P>Hello Community!</P> <P>&nbsp;</P> <P>I´m trying to find a solution for the following problem:</P> <P>&nbsp;</P> <P>I have two different forests created in the same Active Directory:</P> <P>Forest_1:<BR />subdomain_1.domain_1.com</P> <P>&nbsp;</P> <P>Forest_2:<BR />subdomain_2.domain_2.com</P> <P>&nbsp;</P> <P>There is a trust between the two forests</P> <P>&nbsp;</P> <P>I have also the universal group_X in subdomain_1: subdomain_1\group_X</P> <P>&nbsp;</P> <P>I added the User_Bob belonging to subdomain_2.domain_2.com into group_X</P> <P>&nbsp;</P> <P>Is there any way to make the firewall map the User_Bob into group_X?</P> <P>&nbsp;</P> <P>I tried several configurations but is not retrieving the mapping.</P> <P>&nbsp;</P> <P>cheers.</P> Tue, 28 Feb 2023 18:29:29 GMT https://live.paloaltonetworks.com/t5/general-topics/map-users-into-groups-in-a-multi-forest-ad-design/m-p/532508#M109776 Carracido 2023-02-28T18:29:29Z https://live.paloaltonetworks.com/t5/general-topics/map-users-into-groups-in-a-multi-forest-ad-design/m-p/532609#M109785 <P>Use a global catalog: A global catalog (GC) is a searchable directory that contains information about all objects in a forest. It provides a central repository of information that can be used to map users from different domains into groups. To use a GC, you need to configure your AD environment to allow cross-forest queries.&nbsp;<A href="https://www.aimproviderportal.org/" target="_self">AIM Provider Portal Customer Service</A></P> <P>Use universal groups: Universal groups are a type of group that can contain members from any domain in the forest. They are designed to be used in multi-domain and multi-forest environments. By using universal groups, you can create a single group that contains members from multiple domains.</P> <P>Use group nesting: Group nesting is the process of adding a group as a member of another group. This allows you to create hierarchical structures of groups that can be used to map users from different domains into groups. For example, you can create a group in each domain that contains users from that domain, and then create a universal group that contains all of these domain-specific groups.</P> <P>Use group mappings: Group mappings are a feature of Active Directory Federation Services (AD FS) that allow you to map groups from one forest to another forest. This can be useful if you have multiple forests that need to share authentication information.</P> <P>Use synchronization tools: There are several synchronization tools available that can be used to synchronize user and group information between forests. These tools can be used to create a single view of users and groups across multiple forests.</P> Thu, 02 Mar 2023 05:31:11 GMT https://live.paloaltonetworks.com/t5/general-topics/map-users-into-groups-in-a-multi-forest-ad-design/m-p/532609#M109785 Joloalik 2023-03-02T05:31:11Z