Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Renaming AD group used in external identity store

Hello,

 

There is a need to rename some of the Active Directory groups mapped to an external identity store on our ACS 5.4 server.  Has anybody ever done this?  Does the ACS server just magically pick up on the renamed group or do we need to manually remove the old group name and readd the new group name to the identity store?  If so, does that mean we need to modify all the rules associated with that group?

 

Thanks, just trying to figure out how much work this is going to be.  

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Hi, AFAIK you would have to

Hi,

 

AFAIK you would have to remove the policies associated with those group, remove the old groups, add the new groups and create the policies.

 

You can however just create the new groups in the Active Directory, add the groups in the ACS and using the AD group 'OR' condition just add the new groups in the Policy.

 

e,g if your old group name is "Helpdesk" and you would like to change it to "Helpdesk users"; you can create the new group in the AD, add the group in the ACS and in the policy just select if the user is part of either "Helpdesk" or "Helpdesk users" --> apply the policy.

 

This way you would be able to save some of your time.

 

 

Regards,

Kush

4 REPLIES
Cisco Employee

Good question! I would like

Good question! I would like to know the answer to it as well. Same for ISE! It would be a paint to delete the group(s) because ACS/ISE won't let you if they are referenced in policies so it would be major pain in the rear. I am away from home now but can test it in my lab when I return next week. Hopefully someone else chimes in before that :)

Thank you for rating helpful posts!

Bump .. Anybody?

Bump .. Anybody?

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
Bronze

Hi, AFAIK you would have to

Hi,

 

AFAIK you would have to remove the policies associated with those group, remove the old groups, add the new groups and create the policies.

 

You can however just create the new groups in the Active Directory, add the groups in the ACS and using the AD group 'OR' condition just add the new groups in the Policy.

 

e,g if your old group name is "Helpdesk" and you would like to change it to "Helpdesk users"; you can create the new group in the AD, add the group in the ACS and in the policy just select if the user is part of either "Helpdesk" or "Helpdesk users" --> apply the policy.

 

This way you would be able to save some of your time.

 

 

Regards,

Kush

Thanks Kush, that's what I

Thanks Kush, that's what I was thinking I would need to do.  I was hoping the new group names would just migrate over but that was probably too much to ask.  We would be replacing groups, not adding them so I'd have to go back afterwards and remove the "or" groups.  Time consuming either way, but the way you described is certainly faster and safer.  

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
95
Views
10
Helpful
4
Replies