https://community.cisco.com/t5/network-access-control/ise-ad-group-query/m-p/3676834#M548090 <P>I believe it's likely a security thing that MS AD side giving vague&nbsp;responses so that ISE is unable to inform more specifically. This usually takes to enable auditing in MS AD and check on the audit log there.</P> Sat, 28 Jul 2018 20:00:14 GMT hslai 2018-07-28T20:00:14Z https://community.cisco.com/t5/network-access-control/ise-ad-group-query/m-p/3416876#M547937 <P>Hi,</P> <P>&nbsp;</P> <P>I am a bit annoyed that ISE doesn't report what is wrong when it is unable to retrieve an AD group.&nbsp;</P> <P>I have different branches in my AD tree, but ISE is only able to retrieve groups from one of them.</P> <P>For example it can find groups under domain/company/abc/123 but not domain/company/xyz/987</P> <P>That is probably a permission problem on the ISE-object in AD. I will have the AD ppl look in to that.</P> <P>&nbsp;</P> <P>What annoys me is that ISE doesn't give an error. It just say "0 Groups Retrieved" when I do the search and the AD connector Operations report say that everything is fine and successfull.&nbsp;</P> <P>&nbsp;</P> <P>Is there a way to get ISE to report something like "The group you are searching for doesn't exist" or "you dont have permission to search in&nbsp;<SPAN>domain/company/xyz/987"?</SPAN></P> <P>&nbsp;</P> <P><SPAN>Regards</SPAN></P> <P><SPAN>Philip</SPAN></P> Fri, 21 Feb 2020 19:01:01 GMT https://community.cisco.com/t5/network-access-control/ise-ad-group-query/m-p/3416876#M547937 Philip Vilhelmsson 2020-02-21T19:01:01Z https://community.cisco.com/t5/network-access-control/ise-ad-group-query/m-p/3417226#M547938 <P>This subject is not my strong suite, but I would argue that the user account that was used when you joined the AD (to create the&nbsp;ISE machine account in AD) should have sufficient privileges to search the entire domain.&nbsp; This is where I usually default to using a domain admin service account when joining my ISE nodes and I have never had an issue.</P> Wed, 18 Jul 2018 00:02:26 GMT https://community.cisco.com/t5/network-access-control/ise-ad-group-query/m-p/3417226#M547938 Arne Bier 2018-07-18T00:02:26Z https://community.cisco.com/t5/network-access-control/ise-ad-group-query/m-p/3417530#M548085 <P>Yes that is when joining the AD. After the join ISE will use it's computer object (that we created in AD) to do the search for AD-groups. So the problem has probably to do with that objects permission.&nbsp;</P> <P>However, my issue is that when ISE don't have permission to do a search in AD I don't get an error when I try to retrieve a group under the AD-settings.</P> Wed, 18 Jul 2018 13:42:56 GMT https://community.cisco.com/t5/network-access-control/ise-ad-group-query/m-p/3417530#M548085 Philip Vilhelmsson 2018-07-18T13:42:56Z https://community.cisco.com/t5/network-access-control/ise-ad-group-query/m-p/3676199#M548088 <P>The answer to the question is no.</P> <P>&nbsp;</P> <P>Really this is a feature request - "please add better error / reporting feedback to ISE when AD searches result in a failure"</P> Fri, 27 Jul 2018 12:45:56 GMT https://community.cisco.com/t5/network-access-control/ise-ad-group-query/m-p/3676199#M548088 RichardAtkin 2018-07-27T12:45:56Z https://community.cisco.com/t5/network-access-control/ise-ad-group-query/m-p/3676834#M548090 <P>I believe it's likely a security thing that MS AD side giving vague&nbsp;responses so that ISE is unable to inform more specifically. This usually takes to enable auditing in MS AD and check on the audit log there.</P> Sat, 28 Jul 2018 20:00:14 GMT https://community.cisco.com/t5/network-access-control/ise-ad-group-query/m-p/3676834#M548090 hslai 2018-07-28T20:00:14Z