map users into groups in a multi-forest AD design

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

map users into groups in a multi-forest AD design

L3 Networker

Hello Community!


I´m trying to find a solution for the following problem:


I have two different forests created in the same Active Directory:





There is a trust between the two forests


I have also the universal group_X in subdomain_1: subdomain_1\group_X


I added the User_Bob belonging to into group_X


Is there any way to make the firewall map the User_Bob into group_X?


I tried several configurations but is not retrieving the mapping.




L0 Member

Use a global catalog: A global catalog (GC) is a searchable directory that contains information about all objects in a forest. It provides a central repository of information that can be used to map users from different domains into groups. To use a GC, you need to configure your AD environment to allow cross-forest queries. AIM Provider Portal Customer Service

Use universal groups: Universal groups are a type of group that can contain members from any domain in the forest. They are designed to be used in multi-domain and multi-forest environments. By using universal groups, you can create a single group that contains members from multiple domains.

Use group nesting: Group nesting is the process of adding a group as a member of another group. This allows you to create hierarchical structures of groups that can be used to map users from different domains into groups. For example, you can create a group in each domain that contains users from that domain, and then create a universal group that contains all of these domain-specific groups.

Use group mappings: Group mappings are a feature of Active Directory Federation Services (AD FS) that allow you to map groups from one forest to another forest. This can be useful if you have multiple forests that need to share authentication information.

Use synchronization tools: There are several synchronization tools available that can be used to synchronize user and group information between forests. These tools can be used to create a single view of users and groups across multiple forests.

  • 1 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!