We had an issue where one of our conditions was continually failing even though users were in the appropriate AD group. I thought I would share what I found and how I troubleshot this issue to assist you if you run into the same issue.
While troubleshooting the issue, it was identified that an AD group had been renamed to a new naming standard. This in turn caused some failures and so the IT administrators decided the easiest fix was to create a new AD group with the old name and copy the users into the new group (with the old name).
Theoretically, this would work, if all the logic was simply validating against the AD group name string. So you could imagine how easily someone could make this mistake and assumption. However, AppSense and other applications capture the AD group name AND the GroupSID.
Within AppSense EM, you can copy a condition within the EM console, then paste that condition into Notepad++. The XML for the condition is what you are now looking at.
The existing configuration XML looked like this (check the yellow highlighted lines):
<ActionProperties ClassName="UEM.ActionPropertyCollection.0000"> <ActionProperty ClassName="UEM.ActionProperty.0000" Name="Operator" PropertyType="String" Value="Equal" /> <ActionProperty ClassName="UEM.ActionProperty.0000" Name="GroupName" PropertyType="String" Value="CN=Citrix EDIT,OU=AppSense,DC=ITTECHSMITH,DC=com" /> <ActionProperty ClassName="UEM.ActionProperty.0000" Name="Query" PropertyType="String" Value="" /> <ActionProperty ClassName="UEM.ActionProperty.0000" Name="GroupSID" PropertyType="String" Value="S-1-5-21-1993962000-179000062-000345543-619403" /> </ActionProperties>
When I created a new condition in EM, pointed to the group in AD, then copied out the XML, this is what I saw:
<ActionProperties ClassName="UEM.ActionPropertyCollection.0000"> <ActionProperty ClassName="UEM.ActionProperty.0000" Name="Operator" PropertyType="String" Value="Equal" /> <ActionProperty ClassName="UEM.ActionProperty.0000" Name="GroupName" PropertyType="String" Value="CN=Citrix EDIT,OU=AppSense,DC=ITTECHSMITH,DC=com" /> <ActionProperty ClassName="UEM.ActionProperty.0000" Name="Query" PropertyType="String" Value="" /> <ActionProperty ClassName="UEM.ActionProperty.0000" Name="GroupSID" PropertyType="String" Value="S-1-5-21-1993962000-179000062-000345543-778448" /> </ActionProperties>
So while the AD group Name appeared the same, AppSense knew the SID was different.
The fix: You have to update the AppSense EM configuration so that it captures both the new SID and the name. From my observation, simply updating the existing condition to the AD group DOES NOT WORK. You have to create a new condition that points to the new AD group. My guess is that AppSense is only re-polling AD if the name string appears different, so creating a new condition would be the only solution.
