Knowledge Base > Article [0029]

Search in Nested Group in AD

Have you ever encountered this problem - you configured a policy on a group, but it didn't work as expected on the user who belongs to this group? For instance, you set up a token auto provisioning policy on a group, but the end user still gets a message "authenticator not found" which actually means no token found in this type of authenticator.  You can imagine,  somehow the token auto provisioning policy doesn't work.

Why? The likely cause is that you are running a Windows 2003 Domain Controller which has a bug: it does not support LDAP_MATCHING_RULE_IN_CHAIN, unless you patch it with its hotfix.

If you cannot patch it for whatever reasons, and you do not have nested user groups, then there is a workaround in DualShield - uncheck the option "Search Nested Group membership" in the Identity Source.

Windows 2008 DC supports LDAP_MATCHING_RULE_IN_CHAIN, so it won't have the problem if you checked that option. However we still encourage you to uncheck it if you do not have nested groups, as LDAP_MATCHING_RULE_IN_CHAIN search is a time consuming operation on DC.