https://live.paloaltonetworks.com/t5/general-topics/active-directory-groups-w-members-from-multiple-domains/m-p/595010#M118422 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/77347">@TomYoung</a>. Thanks for the links as I had not seen them yet! It turns out they don't help me in my situation.&nbsp; I'm already at the root of each of the two domains, each their own forest, with the only connection being a trust relationship.<BR /><BR />Tried to see if group mapping could be done via SAML connection to Entra ID but appears to be LDAP only, at least in PAN-OS 10.2. Investigation continues!</P> Thu, 15 Aug 2024 12:49:47 GMT JamesH1318 2024-08-15T12:49:47Z https://live.paloaltonetworks.com/t5/general-topics/active-directory-groups-w-members-from-multiple-domains/m-p/594950#M118412 <P><SPAN><SPAN class="ui-provider a b c d e f g h i j k l m n o p q r s t u v w x y z ab ac ae af ag ah ai aj ak">I'm using AD groups for some security policies and am expanding to use other domains in our company. While I can add users from another domain into an AD group, the PA only shows me the users in the same domain as the group.&nbsp; For example:<BR /><BR />Domain 1: DC=first,DC=com<BR /></SPAN></SPAN></P> <P><SPAN><SPAN class="ui-provider a b c d e f g h i j k l m n o p q r s t u v w x y z ab ac ae af ag ah ai aj ak">User 1: CN=idone,OU=users,DC=first,DC=com<BR /></SPAN></SPAN></P> <P><SPAN><SPAN class="ui-provider a b c d e f g h i j k l m n o p q r s t u v w x y z ab ac ae af ag ah ai aj ak">Group: CN=cars,OU=groups,DC=first,DC=com<BR /></SPAN></SPAN></P> <P><SPAN><SPAN class="ui-provider a b c d e f g h i j k l m n o p q r s t u v w x y z ab ac ae af ag ah ai aj ak"><BR />Domain 2: DC=second,DC=com</SPAN></SPAN></P> <P><SPAN><SPAN class="ui-provider a b c d e f g h i j k l m n o p q r s t u v w x y z ab ac ae af ag ah ai aj ak">User 2:&nbsp;CN=idtwo,OU=funnyguys,DC=second,DC=com</SPAN></SPAN></P> <P>&nbsp;</P> <P>The domains, first.com and second.com, have a trust relationship and therefore I can add users from second.com into groups in first.com. However, when I do a show user group name "<SPAN><SPAN class="ui-provider a b c d e f g h i j k l m n o p q r s t u v w x y z ab ac ae af ag ah ai aj ak">CN=cars,OU=groups,DC=first,DC=com" I only see first.com\idone.</SPAN></SPAN></P> <P><SPAN><SPAN class="ui-provider a b c d e f g h i j k l m n o p q r s t u v w x y z ab ac ae af ag ah ai aj ak"><BR />If I look at the&nbsp;CN=cars,OU=groups,DC=first,DC=com directly in AD, user idtwo is in the member list but as a SID.</SPAN></SPAN></P> <P>&nbsp;</P> <P><SPAN><SPAN class="ui-provider a b c d e f g h i j k l m n o p q r s t u v w x y z ab ac ae af ag ah ai aj ak"> I</SPAN></SPAN><SPAN><SPAN class="ui-provider a b c d e f g h i j k l m n o p q r s t u v w x y z ab ac ae af ag ah ai aj ak">s there any way to translate FSP (Foreign Security Principals) into usable \ recognizable usernames?</SPAN></SPAN></P> Wed, 14 Aug 2024 19:09:37 GMT https://live.paloaltonetworks.com/t5/general-topics/active-directory-groups-w-members-from-multiple-domains/m-p/594950#M118412 JamesH1318 2024-08-14T19:09:37Z https://live.paloaltonetworks.com/t5/general-topics/active-directory-groups-w-members-from-multiple-domains/m-p/594976#M118414 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/235054">@JamesH1318</a> ,</P> <P>&nbsp;</P> <P>Does these articles help?&nbsp;</P> <P>&nbsp;</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClExCAK" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClExCAK</A></P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGICA0" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGICA0</A></P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClI8CAK" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClI8CAK</A></P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Thu, 15 Aug 2024 03:43:31 GMT https://live.paloaltonetworks.com/t5/general-topics/active-directory-groups-w-members-from-multiple-domains/m-p/594976#M118414 TomYoung 2024-08-15T03:43:31Z https://live.paloaltonetworks.com/t5/general-topics/active-directory-groups-w-members-from-multiple-domains/m-p/595010#M118422 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/77347">@TomYoung</a>. Thanks for the links as I had not seen them yet! It turns out they don't help me in my situation.&nbsp; I'm already at the root of each of the two domains, each their own forest, with the only connection being a trust relationship.<BR /><BR />Tried to see if group mapping could be done via SAML connection to Entra ID but appears to be LDAP only, at least in PAN-OS 10.2. Investigation continues!</P> Thu, 15 Aug 2024 12:49:47 GMT https://live.paloaltonetworks.com/t5/general-topics/active-directory-groups-w-members-from-multiple-domains/m-p/595010#M118422 JamesH1318 2024-08-15T12:49:47Z https://live.paloaltonetworks.com/t5/general-topics/active-directory-groups-w-members-from-multiple-domains/m-p/1239473#M125285 <P>Any luck on finding a solution? I would be interested in learning if you found something that worked!</P> <P>Would pulling both domains into the Palo LDAP suffice? It would be a bit more work as you would need to replicate domain groups within both, but as far as I can tell your original configuration isn't possible.</P> Mon, 06 Oct 2025 18:22:21 GMT https://live.paloaltonetworks.com/t5/general-topics/active-directory-groups-w-members-from-multiple-domains/m-p/1239473#M125285 RH747 2025-10-06T18:22:21Z