I use ACS 4.1 on a Windows server that looks up unknown users in Active Directory. Users in AD are in various groups and ACS has these groups mapped to the ACS groups so that users are granted appropriate access to their needs. This has worked well.
I am now seeing that users are are removed from one AD group and added to another group do not have this change reflected in the ACS system. This is because ACS only looks at the AD group for *unknown users*. The user who has moved AD groups was an unknown user, but, upon first logon, that user became a discovered user. From that point forward, only credentials are checked, not group membership.
On the User Setup section in ACS, there is a button to *Remove Dynamic Users*.
I would love to know the following:
1. Is there a way to have ACS check the current group assignment in AD for *Discovered Users*?
2. If not, is there a way to automate the *Remove Dyanmic Users* fucntion? I have used CSUtil in the past but it seems a little cumbersome for this feature in that I had to dump out the users, reformat the output, and then push the deletion back through. I don't recall it making distinctions of known versus discovered users. It just had users names in ACS groups.
Any insights would be greatly appreciated!