Showing results for 
Search instead for 
Did you mean: 

ISE AD-group query



I am a bit annoyed that ISE doesn't report what is wrong when it is unable to retrieve an AD group. 

I have different branches in my AD tree, but ISE is only able to retrieve groups from one of them.

For example it can find groups under domain/company/abc/123 but not domain/company/xyz/987

That is probably a permission problem on the ISE-object in AD. I will have the AD ppl look in to that.


What annoys me is that ISE doesn't give an error. It just say "0 Groups Retrieved" when I do the search and the AD connector Operations report say that everything is fine and successfull. 


Is there a way to get ISE to report something like "The group you are searching for doesn't exist" or "you dont have permission to search in domain/company/xyz/987"?




VIP Advocate

Re: ISE AD-group query

This subject is not my strong suite, but I would argue that the user account that was used when you joined the AD (to create the ISE machine account in AD) should have sufficient privileges to search the entire domain.  This is where I usually default to using a domain admin service account when joining my ISE nodes and I have never had an issue.

Re: ISE AD-group query

Yes that is when joining the AD. After the join ISE will use it's computer object (that we created in AD) to do the search for AD-groups. So the problem has probably to do with that objects permission. 

However, my issue is that when ISE don't have permission to do a search in AD I don't get an error when I try to retrieve a group under the AD-settings.


Re: ISE AD-group query

The answer to the question is no.


Really this is a feature request - "please add better error / reporting feedback to ISE when AD searches result in a failure"

Cisco Employee

Re: ISE AD-group query

I believe it's likely a security thing that MS AD side giving vague responses so that ISE is unable to inform more specifically. This usually takes to enable auditing in MS AD and check on the audit log there.