If you haven t noticed by now, CPPM uses the MemberOf command to retrieve users group information from LDAP and AD. The problem with this method is that the MemberOf command does not retrieve the Primary Group Membership attribute of the user (this is a Microsoft limitation not CPPM). This can be an issue as by default a users Primary Group Membership is the Domain Users Group or for other built in accounts who might have a different primary group membership. This leads to issues when customers want to use the Domain Users group for role mapping and enforcement. It also becomes a problem in troubleshooting why a specific user maynot be getting a proper role. For instance, If user A is in accounting and the domain admin has changed that users primary group membership to the accounting group. Then the MemberOf command will not return the group accounting and role mapping will fail. How can we check the primary group membership of a user? Log into the Domain Controller and launch the Act
http://www.ebrahma.com/2013/09/aruba-cppm-using-domain-users-for-role-mapping/Labels: eBrahma