https://community.cisco.com/t5/network-access-control/acs-end-user-authentication-to-active-drirectory-ou/m-p/2643191#M55913 <P>Create a security group called something like "ACS Users" and add the users you want access to this security group.&nbsp; Users can be a part of many security groups, so it will not break anything.&nbsp; Then you will select this group in your AD Groups in ACS.</P><P>&nbsp;</P><P>If this works for you, do not forget to rate!</P> Thu, 23 Apr 2015 19:35:21 GMT cybrsage 2015-04-23T19:35:21Z https://community.cisco.com/t5/network-access-control/acs-end-user-authentication-to-active-drirectory-ou/m-p/2643190#M55912 <P>I'm running ACS 5.5.&nbsp; I have end-users logging in from ASA VPN or Wireless Lan Controllers that hit ACS via RADIUS for authentication. ACS is joined to my Active Dreictory domain to actually authenticate/authorize the end-user connection.&nbsp;</P><P>Everything works great, but I want to restrict access to users who are in a specific AD OU.&nbsp; I can't use the Users and Identity Stores -&gt; External Identity Stores -&gt; Active Directory Groups solution because there isn't an AD group for "All users".&nbsp; I can't use "Domain Users" because that includes service accounts (which are NOT in the User OU).&nbsp; Service accounts are specifically what I'm trying to prohibit from VPN / Wireless access.</P><P>Creating an "All Users" AD group is going to be a long and somewhat painful process due to our IAM solution.</P><P>Any help would be greatly appreciated.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 11 Mar 2019 05:39:55 GMT https://community.cisco.com/t5/network-access-control/acs-end-user-authentication-to-active-drirectory-ou/m-p/2643190#M55912 clausonna 2019-03-11T05:39:55Z https://community.cisco.com/t5/network-access-control/acs-end-user-authentication-to-active-drirectory-ou/m-p/2643191#M55913 <P>Create a security group called something like "ACS Users" and add the users you want access to this security group.&nbsp; Users can be a part of many security groups, so it will not break anything.&nbsp; Then you will select this group in your AD Groups in ACS.</P><P>&nbsp;</P><P>If this works for you, do not forget to rate!</P> Thu, 23 Apr 2015 19:35:21 GMT https://community.cisco.com/t5/network-access-control/acs-end-user-authentication-to-active-drirectory-ou/m-p/2643191#M55913 cybrsage 2015-04-23T19:35:21Z https://community.cisco.com/t5/network-access-control/acs-end-user-authentication-to-active-drirectory-ou/m-p/2643192#M55914 <P>Thank you for your fast response - but you failed to answer my specific question.&nbsp; I -know- I can create an AD group to be used by ACS for authentication.&nbsp; I want/need to use just an AD OU (organizational unit).&nbsp; I have 5000+ users and a fairly complex Identity Access Management solution.&nbsp; Adding everyone to an "All Users" AD group is far more difficult than just having ACS restrict access based on what OU the user's account is in.&nbsp; There has to be a way to do this!</P> Thu, 23 Apr 2015 20:08:42 GMT https://community.cisco.com/t5/network-access-control/acs-end-user-authentication-to-active-drirectory-ou/m-p/2643192#M55914 clausonna 2015-04-23T20:08:42Z https://community.cisco.com/t5/network-access-control/acs-end-user-authentication-to-active-drirectory-ou/m-p/2643193#M55915 <P>hi <G class="gr_ gr_20 gr-alert gr_spell gr_run_anim ContextualSpelling ins-del multiReplace" id="20" data-gr-id="20">Clausonna</G>,</P> <P>I am looking for similar solution. are you able to find something for yourself ?</P> <P></P> Thu, 30 Mar 2017 13:33:54 GMT https://community.cisco.com/t5/network-access-control/acs-end-user-authentication-to-active-drirectory-ou/m-p/2643193#M55915 Atta ullah Meer 2017-03-30T13:33:54Z https://community.cisco.com/t5/network-access-control/acs-end-user-authentication-to-active-drirectory-ou/m-p/2643194#M55916 <P>AFAIK, you have to use security groups.</P> Thu, 30 Mar 2017 19:03:53 GMT https://community.cisco.com/t5/network-access-control/acs-end-user-authentication-to-active-drirectory-ou/m-p/2643194#M55916 cybrsage 2017-03-30T19:03:53Z