topic Re: ISE with AD nested groups and their depth in Network Access Control https://community.cisco.com/t5/network-access-control/ise-with-ad-nested-groups-and-their-depth/m-p/4623050#M575156 <P>As per the <A href="https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/ise_active_directory_integration/b_ISE_AD_integration_2x.html#reference_77DFFA97638E4A6782C4BE7559463D95" target="_blank" rel="noopener">Active Directory Integration with Cisco ISE 2.x&nbsp; </A>document:</P> <P><EM>"Policy rule conditions may reference any of the following: a user’s or computer’s primary group, the groups of which a user or computer is a direct member, or indirect (nested) groups."</EM></P> <P>I'm not aware of any documented testing/validation of the limits of nested group depth, but this would likely be guided by the Microsoft-imposed limits and best-practices based on the software version.<BR />Example... <A href="https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc756101(v=ws.10)?redirectedfrom=MSDN" target="_blank" rel="noopener">Active Directory Maximum Limits - Scalability</A>&nbsp;</P> Thu, 02 Jun 2022 06:30:10 GMT Greg Gibbs 2022-06-02T06:30:10Z ISE with AD nested groups and their depth https://community.cisco.com/t5/network-access-control/ise-with-ad-nested-groups-and-their-depth/m-p/4622697#M575143 <P>I see from other questions that ISE support AD nested groups&nbsp;</P> <P>can you share an official document contain that info also what about depth? How many levels it is supported?</P> Wed, 01 Jun 2022 16:46:18 GMT https://community.cisco.com/t5/network-access-control/ise-with-ad-nested-groups-and-their-depth/m-p/4622697#M575143 engahmedsaied 2022-06-01T16:46:18Z Re: ISE with AD nested groups and their depth https://community.cisco.com/t5/network-access-control/ise-with-ad-nested-groups-and-their-depth/m-p/4623050#M575156 <P>As per the <A href="https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/ise_active_directory_integration/b_ISE_AD_integration_2x.html#reference_77DFFA97638E4A6782C4BE7559463D95" target="_blank" rel="noopener">Active Directory Integration with Cisco ISE 2.x&nbsp; </A>document:</P> <P><EM>"Policy rule conditions may reference any of the following: a user’s or computer’s primary group, the groups of which a user or computer is a direct member, or indirect (nested) groups."</EM></P> <P>I'm not aware of any documented testing/validation of the limits of nested group depth, but this would likely be guided by the Microsoft-imposed limits and best-practices based on the software version.<BR />Example... <A href="https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc756101(v=ws.10)?redirectedfrom=MSDN" target="_blank" rel="noopener">Active Directory Maximum Limits - Scalability</A>&nbsp;</P> Thu, 02 Jun 2022 06:30:10 GMT https://community.cisco.com/t5/network-access-control/ise-with-ad-nested-groups-and-their-depth/m-p/4623050#M575156 Greg Gibbs 2022-06-02T06:30:10Z