https://live.paloaltonetworks.com/t5/general-topics/about-updating-ad-group-membership/m-p/34393#M25242 <HTML><HEAD></HEAD><BODY><P>Roh,</P><P></P><P>We have a domain with 10,000 - 12,000 accounts in the domain with no issues. We have user-id agents on two servers (redundancy) polling 12 domains across a total of 39 Domain controllers without issue.&nbsp; Keeping in mind the group membership polling interval mentioned above in the previous posts.&nbsp; The polling interval is a balancing act between performance hit on the servers vs. speed of updating changes to group membership. We will add the user to the rule and commit if there is an urgency to the access request while waiting for the polling interval to update the firewall with the group membership changes (usually an addition).</P><P></P><P>Phil</P></BODY></HTML> Thu, 26 Dec 2013 02:40:40 GMT HITSSEC 2013-12-26T02:40:40Z https://live.paloaltonetworks.com/t5/general-topics/about-updating-ad-group-membership/m-p/34390#M25239 <HTML><HEAD></HEAD><BODY><P>Hello guys</P><P></P><P>1. I configured LDAP profile and update from AD DC</P><P>2. AD group named domain-users has about 10900 user</P><P>3. Customer created new user and applied new user to domain-users group</P><P></P><P>So I tried to refresh a group-mapping information by debug command. But PAN could not be updated domain-users group information and refreshing member of group.</P><P></P><P>1. I created new group and applied new user to new group</P><P></P><P>PAN could be updated and bring a new-group with their membership.</P><P></P><P>So I have a question. How many PAN recognize a group-member from AD? or PAN has got a limit of max group membership from AD?</P><P></P><P>Thanks in advance.</P><P>Regards,</P><P>Roh</P></BODY></HTML> Fri, 20 Dec 2013 02:24:55 GMT https://live.paloaltonetworks.com/t5/general-topics/about-updating-ad-group-membership/m-p/34390#M25239 Retired Member 2013-12-20T02:24:55Z https://live.paloaltonetworks.com/t5/general-topics/about-updating-ad-group-membership/m-p/34391#M25240 <HTML><HEAD></HEAD><BODY><P>Hi Roh,</P><P></P><P>By default existing group mapping is updated after 1 hour, you can change the settings. Please refer bellow mentioned document for more details.</P><P></P><P><A _jive_internal="true" href="https://live.paloaltonetworks.com/docs/DOC-4994" style="font-size: 10pt; line-height: 1.5em;">https://live.paloaltonetworks.com/docs/DOC-4994</A></P><P></P><P>Let me know if you have further questions.</P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Thu, 26 Dec 2013 00:24:36 GMT https://live.paloaltonetworks.com/t5/general-topics/about-updating-ad-group-membership/m-p/34391#M25240 hshah 2013-12-26T00:24:36Z https://live.paloaltonetworks.com/t5/general-topics/about-updating-ad-group-membership/m-p/34392#M25241 <HTML><HEAD></HEAD><BODY><P>You can force group-mapping refresh with following command.</P><P></P><P><A _jive_internal="true" href="https://live.paloaltonetworks.com/docs/DOC-3294">https://live.paloaltonetworks.com/docs/DOC-3294</A></P></BODY></HTML> Thu, 26 Dec 2013 00:34:26 GMT https://live.paloaltonetworks.com/t5/general-topics/about-updating-ad-group-membership/m-p/34392#M25241 hshah 2013-12-26T00:34:26Z https://live.paloaltonetworks.com/t5/general-topics/about-updating-ad-group-membership/m-p/34393#M25242 <HTML><HEAD></HEAD><BODY><P>Roh,</P><P></P><P>We have a domain with 10,000 - 12,000 accounts in the domain with no issues. We have user-id agents on two servers (redundancy) polling 12 domains across a total of 39 Domain controllers without issue.&nbsp; Keeping in mind the group membership polling interval mentioned above in the previous posts.&nbsp; The polling interval is a balancing act between performance hit on the servers vs. speed of updating changes to group membership. We will add the user to the rule and commit if there is an urgency to the access request while waiting for the polling interval to update the firewall with the group membership changes (usually an addition).</P><P></P><P>Phil</P></BODY></HTML> Thu, 26 Dec 2013 02:40:40 GMT https://live.paloaltonetworks.com/t5/general-topics/about-updating-ad-group-membership/m-p/34393#M25242 HITSSEC 2013-12-26T02:40:40Z https://live.paloaltonetworks.com/t5/general-topics/about-updating-ad-group-membership/m-p/34394#M25243 <HTML><HEAD></HEAD><BODY><P>hello</P><P>you could find more information here</P><P><A _jive_internal="true" href="https://live.paloaltonetworks.com/docs/DOC-5939">https://live.paloaltonetworks.com/docs/DOC-5939</A></P><P></P><P>greg</P></BODY></HTML> Thu, 26 Dec 2013 11:18:32 GMT https://live.paloaltonetworks.com/t5/general-topics/about-updating-ad-group-membership/m-p/34394#M25243 Gregoux 2013-12-26T11:18:32Z