A user removed from an Active Directory group is still being mapped as the AD group by User-AD agent

• A configured user  belongs to sub-group but not to the parent group.
• The Firewall group-mapping setting only has the parent group as include lists.
• When the configured user is removed from an Active Directory group, it is still being mapped as the AD group by User-AD agent.
• Example: The Active Directory groups are as follows:

dyamada.local\group01
    |
    +---  dyamada.local\group01-sub-group

• The user user01 is belonging to both "group01" and also "group01-sub-group".
• The administrator remove "user01" from group01.
• However, the firewall shows user01 still belongs to test-group01.

admin@Lab98-45-PA-5260> show user user-ids all
User Name              Vsys         Groups
------------------------------------------------------------------
dyamada\user01         vsys1      cn=group01,cn=users,dc=dyamada,dc=local
dyamada\user02         vsys1      cn=group01,cn=users,dc=dyamada,dc=local
dyamada\user03         vsys1      cn=group01,cn=users,dc=dyamada,dc=local

Total: 3
* : Custom Group 

• Palo Alto Firewalls
• Supported PAN-OS
• Active Directory
• User Mapping

The user belongs to sub-group is considered as the member of parent group as well.

1. In this case, user01 is  considered as "group01", because he/she is a member of "group01-sub-group," and "group01-sub-group" is also belongs to "group01".
2. The firewall does  not show sub-group information, because group-mapping setting does not have "group01-sub-group" group as a include list. Therefore, it only shows "group01" information for "user01" groups.
3. This behavior is expected in the above configuration.