Issue
Despite an imported remote user being a member of a group in the AD server, this remote user does not retain its membership of the group in CMA. This means that firewall policies referencing that group will not catch traffic sourced by that remote user.
Environment
This problem can occur when you are importing users from AD Directory Services.
Troubleshooting
Ensure that the user is indeed a member of the group that is intended.

Note that the admin that is configured to query the AD server in CMA's Access -> Directory Services page does not have the required permissions to read the MemberOf attribute of the users

Solution
The most common missing permission for querying accounts with WMI queries is group membership. When importing users into CMA, the memberOf attribute is pulled from the AD server, and used to map the user into the AD groups. If the querying admin cannot read this property it returns blank and the users are not correctly mapped as per the group configuration in AD.
