Hello -  I will probably be opening a TAC Case on this but thought id ask here first in case someone can explain...We have an ISE 2.4 (unpatched)  Server used for guest wireless, with Sponsor Approval required.  We used the orginal 3 Sponsor groups for Guest Admin, we had only one simple requirement.

Single users approve their own guests (AD Links, emails the sponsors). Every user account we self create with a sponsor's email can approve their own guests requests. Only added requirement is they want an AD Group to contain 'Guest Admin' members who can administer all guest accounts and approve pending requests.  When we create a local user with a membership in 'ALL USERS' group they work fine, can approve any pending account request.  We made an AD group a member of this 'SPONSOR ALL' Sponsor Group, verified the AD username user  is a member of the group (under AD attributes of extenal identity sources etc) , that person can see and administer all Guest accounts, but cannot approve other people's pending requests when logged in this way.  Wondered if this is a bug or if i set something wrong? All other AD integrations are working fine, for identity authorization policies, group memberships etc, its only this  sponsor group in the sponsor portal having the issue. The  problem beavior follows for any Sponsor group I try to create. A member of the AD group  cannot  approve pending accounts but local user member of the group can do it.  If anyone can provide insight before I get a TAC case going it would be much appreciated. Thanks for reading!