Does PAM support nested Global and Universal AD groups

Document ID : KB000105635
Last Modified Date : 06/07/2018
Show Technical Document Details
Question:
In PAM is it possible to use nested Active Directory groups consisting of Global and Universal groups?
Answer:
Note:
Universal groups cannot be members of Global groups.
But vice versa it is possible.

To confirm PAM is working correctly create
- an Universal group "group3" with member "user3"
- two Global groups "group2" with member "user2" and "group1" with member "user1"
- cascade group3 with member group2, and group2 with member group1
- in CA PAM LDAP Import select group3 only
- finally I find all three users being discovered and imported to PAM
Additional Information:
https://docops.ca.com/ca-privileged-access-manager/3-2/EN/implementing/provision-your-server/provisioning-users/configure-user-groups/import-ldap-user-groups#ImportLDAPUserGroups-NestedGroups