Deleting AD groups from Cisco ISE

aous.salloum · ‎11-21-2017

Folks,

I am trying to delete some old AD groups from ISE, However , I am getting en error message that the group is in use and cannot be deleted.

is there a way to know where the AD groups are referenced in rules or policy ?

Thank you

Arne Bier · ‎11-21-2017

This should be one of the most often requested features and nobody at Cisco is doing anything to help us (the users). It's frustrating and can cause you hours of hunting for a needle in a haystack. I feel your pain.

You have no choice but to go through your entire ISE config (in the GUI) and look for references to that AD Group. It could be used somewhere where you forgot that you even used it there. E.g. in the Admin config, or in some Policy Set that rarely gets used. Sponsor Portal Groups is another one - check there.

Cisco's error messages when deleting AD Group is pointless. Tells you nothing. They could improve this by listing the references where the AD Group is in use as a useful hint.

agrissimanis · ‎11-22-2017

What I found recently while playing around in the lab, is that if you perform the policy export from Administration -> Backup and Restore -> Policy Export, you get .xml file with all the policies and conditions listed. From there you can quickly see what AD groups are used where. If you open the file with something like notepad++ you can navigate through the xml file structure easily. This should make life a bit easier. But as you say things like Admin groups, etc. are not listed there, and you would still need to check these manually. I think the Policy Export feature was introduced in ISE version 2.0