https://community.cisco.com/t5/network-access-control/ise-2-7-sponsor-groupe-with-ad-user-can-see-all-guest-accounts/m-p/4461368#M569583 <P>Do you have a match policy for ALL_ACCOUNTS groups configured for 'Other conditions (optional)'? If not, then you shouldn't be matching the ALL_ACCOUNTS group and suggest creating a TAC SR for troubleshooting.</P> Tue, 07 Sep 2021 21:22:16 GMT howon 2021-09-07T21:22:16Z https://community.cisco.com/t5/network-access-control/ise-2-7-sponsor-groupe-with-ad-user-can-see-all-guest-accounts/m-p/4461175#M569577 <P>Hello,<BR />I created a new sponsor groupe with user member from AD.<BR />and with the right to manage "only account sponsor has created"</P><P>The pb is they can see and manage all guest account.</P><P>I noticed that I have this pb only with AD user , not Internal users.<BR />I noticed also, that if I remove all member from AD in the list, they still can login...!<BR />However, they are not specify in any other sponsor group.</P><P>It is like the AD-User are automatically members of group "ALL_ACCOUNTS", even if thy are not configured in it.<BR />I user ISE v2.7 patch2.</P><P>&nbsp;</P><P>Michel Misonne</P> Tue, 07 Sep 2021 15:24:26 GMT https://community.cisco.com/t5/network-access-control/ise-2-7-sponsor-groupe-with-ad-user-can-see-all-guest-accounts/m-p/4461175#M569577 mmisonne 2021-09-07T15:24:26Z https://community.cisco.com/t5/network-access-control/ise-2-7-sponsor-groupe-with-ad-user-can-see-all-guest-accounts/m-p/4461368#M569583 <P>Do you have a match policy for ALL_ACCOUNTS groups configured for 'Other conditions (optional)'? If not, then you shouldn't be matching the ALL_ACCOUNTS group and suggest creating a TAC SR for troubleshooting.</P> Tue, 07 Sep 2021 21:22:16 GMT https://community.cisco.com/t5/network-access-control/ise-2-7-sponsor-groupe-with-ad-user-can-see-all-guest-accounts/m-p/4461368#M569583 howon 2021-09-07T21:22:16Z