Articles Articles Most Popular Articles Most Popular Articles Most Helpful Articles Most Helpful Articles
Advanced Search
DrillDown Icon Table of Contents Back
 . . . . . . . . . . . . .
DrillDown Icon What's New
DrillDown Icon Knowledge Base Information
DrillDown Icon Cyberoam UTM
DrillDown Icon Product Literature
DrillDown Icon Best Practices & Policies
DrillDown Icon Protect Your Cyberoam Appliances from Power Fluctuations
DrillDown Icon Version 10.x
DrillDown Icon Cyberoam Maintenance
DrillDown Icon FAQ's
DrillDown Icon How To
DrillDown Icon Anti Spam
DrillDown Icon Anti Virus
DrillDown Icon Authentication
DrillDown Icon Configure Guest User Authentication
DrillDown Icon Configure Windows Server 2008 as a RADIUS Server with MS-CHAP v2 Authentication
DrillDown Icon Push NTLM Settings in Internet Explorer Through GPO in Windows Server 2008
DrillDown Icon Install Novell eDirectory Compatible CTAS
DrillDown Icon Integrate Cyberoam with RSA SecurID as a RADIUS Client
DrillDown Icon Allow Specific Websites without Authentication
DrillDown Icon Configure NTLM Support in Web Browsers
DrillDown Icon Configure NTLM in Cyberoam
DrillDown Icon Configure Cyberoam to use RADIUS Server for Authentication
DrillDown Icon Customize a Denied Message on Cyberoam Appliance
DrillDown Icon Integrate Cyberoam with LDAP
DrillDown Icon Serve a Denied page instead of Captive Portal for unauthenticated users
DrillDown Icon Implement Clientless SSO Authentication in Multiple Active Directory Domain Controller
DrillDown Icon Assign Group Membership to Users in case of Tight Integration with Active Directory
DrillDown Icon Integrate with Active Directory
DrillDown Icon Implement Clientless SSO Authentication in Single AD Domain Controller Environment
DrillDown Icon Implement SSO Authentication with AD
DrillDown Icon Import AD Groups
DrillDown Icon Implement Single Sign on Authentication with Active Directory Integration with Non-English version of Windows
DrillDown Icon Serve a Denied Page with Captive Portal Link for Unauthenticated Users
DrillDown Icon Clients
DrillDown Icon Content Filtering
DrillDown Icon Firewall
DrillDown Icon Identity-based Policies
DrillDown Icon IPS
DrillDown Icon Logs & Reports
DrillDown Icon Multiple Gateway - Load Balancing and Failover
DrillDown Icon Quality of Service (QoS)
DrillDown Icon Registration
DrillDown Icon Routing
DrillDown Icon SSL VPN
DrillDown Icon System
DrillDown Icon Users and Groups
DrillDown Icon Virtual LANs
DrillDown Icon VPN
DrillDown Icon Web Application Firewall (WAF)
DrillDown Icon Wireless LAN
DrillDown Icon Configure Wireless WAN
DrillDown Icon TroubleShooting
DrillDown Icon Version 9.x
DrillDown Icon Visio Stencils
DrillDown Icon Glossary
DrillDown Icon Product Technical Support
DrillDown Icon Compatibility
DrillDown Icon Cyberoam Virtual UTM
DrillDown Icon Endpoint Data Protection
DrillDown Icon Cyberoam SSL VPN
DrillDown Icon Cyberoam iView
DrillDown Icon Cyberoam Central Console
DrillDown Icon Cyberoam's On-Cloud Management Service
  Email This ArticlePrintPrint Current Article and All Sub-Articles
Rate Icon Rate Icon Rate Icon Rate Icon Rate Icon
 
Assign Group Membership to Users in case of Tight Integration with Active Directory

Applicable to Version: 9.0 (All builds) & 10.0 (All builds)

If user is the member of multiple Active Directory groups, Cyberoam will decide the user group based on the order of the groups defined in Cyberoam. Cyberoam searches Group ordered list from top to bottom to determine the user group membership. The first group that matches is considered as the group of the user and that group policies are applied to the user.
 
There are 2 scenarios related to group membership issue:

Note:


Cyberoam Group Screen
 Group A, Group B and Group C are imported from Active Directory as shown in the below screenshot
 
 
 
Scenario 1: User’s Active Directory Primary Group is “Domain Users”

When a new user is created in Active Directory, the user will get a group membership of “Domain Users” and its Primary Group would be set as ‘Domain users’ by default.
 
Now Active Directory user John who is a member of Group A, B, C and Domain Users, authenticates with Cyberoam and falls in to Group C on Cyberoam as this Group resides at the top of Cyberoam groups.

Active Directory User Property Screen
 
Select the user; Right click on userà Properties. Select the Member Of tab as shown in the below screenshot:
 

Cyberoam User Property Screen

Logon to Cyberoam Web Admin Console with user having “Administrator” profile.

Go to Identity à Live Users and screen will be displayed as shown in the below screen shot:



Scenario 2: User’s Active Directory Primary Group is other than “Domain Users”

If you change or remove the Primary Group from Domain users to other group then on authentication, user will fall under incorrect group in Cyberoam.

Now, again user John has authenticated and will fall in Group B on Cyberoam. The reason behind this is a behavior of Microsoft Active Directory where Active Directory will not send group membership information of primary group.

Here user’s Primary group is set to Group C. Hence, when user authenticates and Cyberoam verifies authentication request with Active Directory, Active Directory will provide group membership information of user John as ‘Group A, B, Domain user’. Now as Group B resides above Group A, John will fall into group B in Cyberoam.

Active Directory User Property Screen
 
Select the user; Right click on userà Properties. Select the Member Of tab as shown in the below screenshot:
 
 

Cyberoam User Property Screen

Logon to Cyberoam Web Admin Console with user having “Administrator” profile.

Go to Identity à Live Users and screen will be displayed as shown in the below screen shot:
 

Conclusion:
 
·         When user has a membership of multiple groups, set primary group as ‘Domain Users’ or the group for which membership 
      need not to be checked in Cyberoam.
 
·         In Cyberoam, user will fall into a group which is at the top priority (Of which that user is a member) of Cyberoam in case that 
      user is a member of multiple groups.
 
E.g.: If user is a member of Group A, B, C on Active Directory and all three groups are imported to Cyberoam then on authentication user will fall in to Group which is at the top priority in Cyberoam manage group.
 
                                                                                                                                                                                          Document Version: 1.0-17/01/2011

 
 
Attachments
File Icon How To Assign Group membership to users in case of Tight Integration with Active Directory.pdf
Article ID: 1790
   Copyright © 2013 Cyberoam Technologies Pvt. Ltd.
All rights reserved.		 Knowledge Base Software
Powered By: NovoSolutions, Inc.