Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1217
Views
10
Helpful
4
Replies

Renaming AD group used in external identity store

Go to solution
Christopher Bell
Level 4
Level 4

‎07-07-2014 07:19 AM - edited ‎03-10-2019 09:51 PM

Hello,

 

There is a need to rename some of the Active Directory groups mapped to an external identity store on our ACS 5.4 server.  Has anybody ever done this?  Does the ACS server just magically pick up on the renamed group or do we need to manually remove the old group name and readd the new group name to the identity store?  If so, does that mean we need to modify all the rules associated with that group?

 

Thanks, just trying to figure out how much work this is going to be.  

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
kushsriva
Level 1
Level 1

‎07-09-2014 07:03 AM

Hi,

 

AFAIK you would have to remove the policies associated with those group, remove the old groups, add the new groups and create the policies.

 

You can however just create the new groups in the Active Directory, add the groups in the ACS and using the AD group 'OR' condition just add the new groups in the Policy.

 

e,g if your old group name is "Helpdesk" and you would like to change it to "Helpdesk users"; you can create the new group in the AD, add the group in the ACS and in the policy just select if the user is part of either "Helpdesk" or "Helpdesk users" --> apply the policy.

 

This way you would be able to save some of your time.

 

 

Regards,

Kush

View solution in original post

4 Replies 4

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎07-07-2014 09:56 PM

Good question! I would like to know the answer to it as well. Same for ISE! It would be a paint to delete the group(s) because ACS/ISE won't let you if they are referenced in policies so it would be major pain in the rear. I am away from home now but can test it in my lab when I return next week. Hopefully someone else chimes in before that :)

Go to solution
Christopher Bell
Level 4
Level 4

‎07-09-2014 05:13 AM

Bump .. Anybody?

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
0 Helpful

Go to solution
kushsriva
Level 1
Level 1

‎07-09-2014 07:03 AM

Hi,

 

AFAIK you would have to remove the policies associated with those group, remove the old groups, add the new groups and create the policies.

 

You can however just create the new groups in the Active Directory, add the groups in the ACS and using the AD group 'OR' condition just add the new groups in the Policy.

 

e,g if your old group name is "Helpdesk" and you would like to change it to "Helpdesk users"; you can create the new group in the AD, add the group in the ACS and in the policy just select if the user is part of either "Helpdesk" or "Helpdesk users" --> apply the policy.

 

This way you would be able to save some of your time.

 

 

Regards,

Kush

Go to solution
Christopher Bell
Level 4
Level 4
In response to kushsriva

‎07-09-2014 07:34 AM

Thanks Kush, that's what I was thinking I would need to do.  I was hoping the new group names would just migrate over but that was probably too much to ask.  We would be replacing groups, not adding them so I'd have to go back afterwards and remove the "or" groups.  Time consuming either way, but the way you described is certainly faster and safer.  

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
0 Helpful
Customers Also Viewed These Support Documents