Users from a Group in Active Directory do not match their Group defined in the ProxySG's Web Access Layer.
This usually happens when an existing Group is deleted or renamed in the Active Directory and a new Group with the same name is created, thus resulting in a different Security Identifier (SID).
To verify if a group-of-interest (GOI) has different SIDs, compare the SID of the affected GOI in the ProxySG against the one in Active Directory.
To determine the SID of the affected GOI on the ProxySG appliance:
To determine the SID of the affected GOI in Active Directory:
Group name Type SID
BLUECOAT\MyGroup Group S-1-5-21-1111111111-222222222-333333333-97531 Mandatory group, Enabled by default, Enabled group
In some environments, group lookups can take a long time and delay processes such as policy compilation. To help prevent this behavior, Symantec implemented the Active Directory group cache feature to allow you to avoid doing these group lookups whenever possible. The group cache is not persistent.
To resolve the issue of different SIDs, do one of the following:
From the SGOS 220.127.116.11 Release Notes:
A new CLI subcommand has been added to control caching of name-to-SID mappings for each group-of-interest: