https://live.paloaltonetworks.com/t5/general-topics/user-in-different-ad-groups/m-p/42966#M31547 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>we want to enforce a policy with user groups from AD. USER ID actually works fine.</P><P></P><P>The following scenario: A single User (e.g. Harry) belongs to different AD groups (e.g. group1 &amp; group2). The policy works with different URL Filtering profiles.</P><P></P><P>Policy 1 will have Source "group1" and Policy 2 will have Source "group2" as Objects.</P><P></P><P>Policy 1 is positioned before Policy 2. If User Harry wants to try to reach an URL which is allowed in Policy 2 (group2) it will never match, because Policy 1 matches always for that User regardless if the URL is allowed or blocked.</P><P></P><P>Has anyone an idea to fix?</P><P></P><P>Thanks </P><P></P><P>Stefan</P></BODY></HTML> Tue, 01 Mar 2011 12:48:27 GMT Haecker 2011-03-01T12:48:27Z https://live.paloaltonetworks.com/t5/general-topics/user-in-different-ad-groups/m-p/42966#M31547 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>we want to enforce a policy with user groups from AD. USER ID actually works fine.</P><P></P><P>The following scenario: A single User (e.g. Harry) belongs to different AD groups (e.g. group1 &amp; group2). The policy works with different URL Filtering profiles.</P><P></P><P>Policy 1 will have Source "group1" and Policy 2 will have Source "group2" as Objects.</P><P></P><P>Policy 1 is positioned before Policy 2. If User Harry wants to try to reach an URL which is allowed in Policy 2 (group2) it will never match, because Policy 1 matches always for that User regardless if the URL is allowed or blocked.</P><P></P><P>Has anyone an idea to fix?</P><P></P><P>Thanks </P><P></P><P>Stefan</P></BODY></HTML> Tue, 01 Mar 2011 12:48:27 GMT https://live.paloaltonetworks.com/t5/general-topics/user-in-different-ad-groups/m-p/42966#M31547 Haecker 2011-03-01T12:48:27Z https://live.paloaltonetworks.com/t5/general-topics/user-in-different-ad-groups/m-p/42967#M31548 <HTML><HEAD></HEAD><BODY><P>Hi Stefan,</P><P></P><P>Today you need to create an exception URL Profile and Security Rule to handle these types of cases.&nbsp; It is not pretty, but it does work.&nbsp; There will be enhancements to help simplify this type of policy in a future release.&nbsp; It is possible it may come before the end of this year.</P><P></P><P>Cheers,</P><P></P><P>Kelly</P></BODY></HTML> Tue, 01 Mar 2011 16:42:33 GMT https://live.paloaltonetworks.com/t5/general-topics/user-in-different-ad-groups/m-p/42967#M31548 kbrazil 2011-03-01T16:42:33Z