This article explains how Active Directory (AD) groups are created and synchronized in CloudSOC using SpanVA and the Directory Synchronization Service (DSS). In some cases, the AD sync process may appear to create more groups than expected. This behavior can be surprising but is a result of how CloudSOC handles group data from multiple sources.

CloudSOC’s AD Sync process is designed to prioritize ease of use while ensuring comprehensive coverage of group data. To achieve this, it relies on two distinct sources of truth:

• Direct LDAP queries defined in the AD Profile
• Group membership attributes found in user accounts

This dual-source approach can lead to the creation of additional group objects, which may appear unexpected but are part of the system’s intended behavior.

CloudSOC uses two main mechanisms to ingest and sync AD group data:

1. LDAP Group Search Queries
Defined in the AD Profile, these queries specify which groups to pull from AD.

• Any group matching the query is considered valid and will be created or updated in CloudSOC.
• Groups previously synced but no longer matching the query are marked for deletion.
• These group objects are complete and include full metadata from AD.

2. User Account Group Memberships
During user ingestion, CloudSOC checks each user's group memberships—typically using the memberOf attribute.

• If a user belongs to a group not captured by LDAP queries, CloudSOC will still create a simplified group object.
• These inferred group objects contain only basic information: group name and associated users.

Note:

Group objects created via LDAP queries are rich in detail and include full attributes from AD. In contrast, group objects inferred from user memberships are minimal and may only include the group name and its members.