Can I add a 2nd group with the same name?  Path is currently:

mydomain.local/DomainGroup/Groups/NetAdmins

And would be moving to the following path:

mydomain.local/IT/SecurityGroups/NetAdmins

You can add another one to same rule, if the user belong to mydomain.local/DomainGroup/Groups/NetAdmins or mydomain.local/IT/SecurityGroups/NetAdmins

Add one test user in the new mydomain.local/IT/SecurityGroups/NetAdmins and test it.

Thanks for the reply.  I'm currently doing authorization based on AD group membership, not the OU an account resides in.

If I go into ISE and the following path:

Administration --> External Identity Sources --> Active Directory --> Groups (after selecting my domain)

I see the groups I'm referring to listed, along w/ the path to the group. If I go to:

Work Centers --> Policy Elements

and then select the element I'm using it shows the following:

mydomain:ExternalGroups
Equals --> current path to group in AD.

I tested moving the group in AD last night to the new OU and confirmed I was still able to login to devices, but the path never go updated. Does ISE just go based on the SID of the group once the group is added to ISE? I was able to click "Add" under groups and locate the new path, but as the SID is the same as the old it wouldn't allow me to save it. And when I manually edited the currently defined group with the new path it failed to save as the group is in use in a policy.

It seems to work fine, just wanted it to be consistent in case someone else has to look at it in the future.

You can select the groups, remove them, and then re-add them.

Thanks.  I just have to go back in and update my element then to reflect the new group (same name, new path)?  Will any rules error out as the element will be invalid while I'm making the changes?

If the AD groups paths change, then yes you would need to go the policy sets and updating the rules.