I?m running Cisco Secure ACS v.3.3 at Win 2000 server(sp4). ACS server is member of AD domain X. Additional there are two AD forests, so: domains X and Y are in the same forest, but domain Z is member of the second one. Trust relationships between all domains are established (AD Domain Controllers are w2k3 srv). I need to add Windows AD group mapping and that's no problem in domains X & Y. But when I'm trying to map some groups from Z domain, the "Failed to enumerate Windows groups. If you are using Active Directory consult the installation guide for information." error appears. In ACS documentation I have found information "ACS can only perform group mapping by using the local and global groups to which a user belongs in the domain that authenticated the user. You cannot use group membership in domains that the authenticated domain trusts that is for ACS group mapping. This restriction is not removed by adding a remote group to a group that is local to the domain providing the authentication." As I understand it's impossible to add mapping from the second forest? Am I right? If problem is solved in newer versions of ACS (4.0, 4.1)? Are there any fixes that can help?