https://live.paloaltonetworks.com/t5/general-topics/user-id-group-mapping-for-multi-domain-single-forest/m-p/75031#M41863 <P>If I understand your explanation correctly, you are seeing users from domain B in their proper form (domainb\user) in the user-ip mapping. if you add a second LDAP server profile to match domain B groups, you should be able to also have domain B groups in the policy</P> Tue, 22 Mar 2016 09:27:35 GMT reaper 2016-03-22T09:27:35Z https://live.paloaltonetworks.com/t5/general-topics/user-id-group-mapping-for-multi-domain-single-forest/m-p/75029#M41862 <P>Hi everyone.</P> <P>I'm trying to setup a User-ID installation for our multi-domain Active Directory environment.</P> <P>&nbsp;</P> <P>Here is a rundown on what we have</P> <P>DomainA = Workstations, groups, users, servers, etc. The main domain where everything is conducted</P> <P>DomainB = legacy domain where some user accounts are located.</P> <P>&nbsp;</P> <P>I've installed the User-ID agent on a Windows VM running in DomainA and have configured the PA F/W to talk to DomainA for LDAP and User-ID.</P> <P>&nbsp;</P> <P>The Groups that I want to use as part of the Policy are located in DomainA. Those groups have members from DomainB.</P> <P>&nbsp;</P> <P>In the monitor tab I can see users from DomainB being matched correctly and if I set the policy to a user directly it will match. However where I'm having issues is that if I specifiy a group in DomainA as part of the policy, it's not matching for the user in DomainB.</P> <P>&nbsp;</P> <P>So my question is (after that long winded explanation), can my wanted setup work or do I have to do thing differently?</P> <P>&nbsp;</P> <P>Thanks.</P> Tue, 22 Mar 2016 05:27:24 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-group-mapping-for-multi-domain-single-forest/m-p/75029#M41862 jezkerwin 2016-03-22T05:27:24Z https://live.paloaltonetworks.com/t5/general-topics/user-id-group-mapping-for-multi-domain-single-forest/m-p/75031#M41863 <P>If I understand your explanation correctly, you are seeing users from domain B in their proper form (domainb\user) in the user-ip mapping. if you add a second LDAP server profile to match domain B groups, you should be able to also have domain B groups in the policy</P> Tue, 22 Mar 2016 09:27:35 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-group-mapping-for-multi-domain-single-forest/m-p/75031#M41863 reaper 2016-03-22T09:27:35Z https://live.paloaltonetworks.com/t5/general-topics/user-id-group-mapping-for-multi-domain-single-forest/m-p/75033#M41864 <P>correct, in the monitor tab I can correctly see domainB\user being resolved.</P> <P>in the policy though, if I configure domainA\group as the user and domainB\user is a member of that group, it wasn't resolving the lookup to the group and the policy would fail.</P> <P>&nbsp;</P> <P>I'm not sure which group type to user Global, Domain Local, Universal. I have the LDAP server profile talking to the Global Catalog.</P> <P>&nbsp;</P> <P>I'll try with the second LDAP profile talking to domainB and see if that works.</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 22 Mar 2016 10:45:33 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-group-mapping-for-multi-domain-single-forest/m-p/75033#M41864 jezkerwin 2016-03-22T10:45:33Z