AD group members and nested groups members are not properly synchronizing
search cancel

AD group members and nested groups members are not properly synchronizing

book

Article ID: 406237

calendar_today

Updated On:

Products

VCF Operations VCF Operations/Automation (formerly VMware Aria Suite)

Issue/Introduction

1. You are using a service account of Active Directory (AD) when configuring the Authentication Source with AD in VMware Cloud Foundation (VCF) Operations.

2. Test connection is successful.

3. When adding  AD groups to VCF Operations using LDAP, users and nested groups within those AD groups are not being properly discovered and loaded into groups within Aria Operations. Some groups have no user accounts listed; some groups show some user accounts but not all users.

Environment

VCF Operations 8.18.x

Cause

Synchronization failures for nested groups typically occur when the service account used for the Active Directory integration lacks read access to the "memberOf" attribute in Active Directory Users and Computers (ADUC). This prevents VCF Operations from traversing the directory hierarchy to discover all members.

Resolution

Verify and update the service account permissions in Active Directory:

  1. Identify the service account used for the integration under Administration > Authentication Sources.
  2. Open Active Directory Users and Computers on the domain controller.
  3. Locate the service account and ensure it has Read access to the memberOf attribute for all users and nested groups intended for synchronization.
  4. If synchronizing across multiple domains, ensure the authentication source is configured to use the Global Catalog port (3268 for LDAP or 3269 for LDAPS).
  5. In VMware Aria Operations, navigate to the Authentication Source and click Synchronize to refresh the group memberships.

 

Powered by Wolken Software