I might skipped the answer to my question in the security section of this forum. The list huge and sorry if the question is asked again.
I have a concern regarding adding mappings for Domain in the ACS external user database. The point is that every NT group has an asterisk after the comma, and the ACS documentation says:
"The asterisk (*) at the end of a group mapping indicates that the mapping applies users who belong to other groups in addition to those specified by the mapping."
Would it mean that every user who doesn't belong to the NT group in question will be successfully authenticated?