Reset Search



KB2527 - Mapping based on Primary Group by using LDAP Authorization Server.

« Go Back


Last Modified Date12/17/2015 12:26 PM

This article provides information about primary group based mapping via the LDAP authorization server.

Problem or Goal
  • Role mapping based on the Primary Group via the LDAP Authorization Server is currently unsupported on any version of PCS/PPS
  • The PrimaryGroupToken of a group object is a constructed attribute. This means that the attribute is not stored in the Active Directory, but is constructed on the client by the Active Directory Services Interface (ADSI) provider. As the attribute is constructed, it cannot be used for a search criteria in an LDAP query.
  • By default, in Windows NT, Windows 2000, and Windows 2003, the Primary Group for Users is Domain Users. So, organizations that use LDAP as an authorization server and those who prefer to map users based on their Primary Group, will run into this.

To work around this, you can define a role mapping rule based on the primaryGroupID user attribute. The primaryGroupID for Domain Users is 513 and you will be able to map users based on Domain Users Group. The number 513 does not appear in the Domain Users attributes. It is encoded into the group's objectSid attribute. If you have to role map based on any other AD group, which is a primary Group, you need to find the primaryGroupID.

This small script could help you find the primaryGroupID(s) from the Users GroupSID and then perform role mapping.

Note: The 'dsquery Active Directory' command is available via Windows 2000 Server resource Kit.

@echo off
if exist "%TEMP%\%ComputerName%_ListGroupRID_1.tmp" del /q "%TEMP%\%ComputerName%_ListGroupRID_1.tmp"
if exist "%TEMP%\%ComputerName%_ListGroupRID_2.tmp" del /q "%TEMP%\%ComputerName%_ListGroupRID_2.tmp"
set query=dsquery * domainroot -filter "(&(objectClass=Group))" -attr objectSid sAMAccountName -limit 0
for /f "Tokens=2-7 Delims=-" %%a in ('%query%') do call :rid "%%a" "%%b" "%%c" "%%d" "%%e" "%%f"
sort "%TEMP%\%ComputerName%_ListGroupRID_1.tmp" /O "%TEMP%\%ComputerName%_ListGroupRID_2.tmp"
type "%TEMP%\%ComputerName%_ListGroupRID_2.tmp"
del /q "%TEMP%\%ComputerName%_ListGroupRID_1.tmp"
del /q "%TEMP%\%ComputerName%_ListGroupRID_2.tmp"
goto :EOF
if {%1}=={} goto :EOF
set wrk1=%1
set wrk2=%wrk1: =%
if %wrk1% EQU %wrk2% goto RID
set wrk2=%wrk2: "=%
set wrk2=%wrk2:"=%
set wrk1=%wrk2:~0,4%
set wrk2=%wrk2:~4%
if "%wrk1:~3,1%" EQU " " set wrk1= %wrk1:~0,3%
if /i "%wrk2%" NEQ "Pre" goto out
set wrk2=Pre-%1
set wrk2=%wrk2: =%
set wrk2=%wrk2: "=%
set wrk2=%wrk2:"=%
@echo %wrk1% "%wrk2%">>"%TEMP%\%ComputerName%_ListGroupRID_1.tmp"


When this script is run on a domain controller, the generated output will have the primaryGroupID and Name of the Group.

Note: A typical output may look like this; but may vary in different environments, based on the Active Directory Structure of a organization.
512 "Domain Admins"
513 "Domain Users"
514 "Domain Guests"
515 "Domain Computers"
516 "Domain Controllers"
517 "Cert Publishers"
518 "Schema Admins"
519 "Enterprise Admins"
520 "Group Policy Creator Owners"
544 "Administrators"
545 "Users"
546 "Guests"
548 "Account Operators"
549 "Server Operators"
550 "Print Operators"
551 "Backup Operators"
552 "Replicator"

To configure the role mapping rule based on the primaryGroupID user attribute:

  1. Logon to PCS (Pulse Secure Connect) as an Admin.
  • Go to Users > Authentication > [Select the appropriate realm that has LDAP as an Authorization Server] > Role Mapping and click New Rule.
  • Select the  User Attribute from the Rule Based on drop-down menu and Click Update.
  • Type an Identifiable label in the Name text field; primaryGroupID would not be available in the User Attribute List, if you are specifying this for the first time.
  • Click Attributes. A new window will be displayed; if it is not displayed, check if the browser's pop-up blocker is disabled.
  • Type primaryGroupID in the Attribute text field, click Add Attribute and then click OK.
  • Select primaryGroupID, Select is from the operator drop down menu, and type 513 in the multi-line text field. Type an appropriate number for primaryGroupID, depending on the group, for which you would like to perform role mapping.
  • Select the role to assign and click Save Changes. Login as a user and check the policy trace to determine the results.

Contact Pulse Secure Global Escalation Center, if you face any issues.

Related Links
Attachment 1 
Created ByData Deployment



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255