The HEIMDAL Dashboard allows customers to assign Group Policies to computers based on Azure AD Group membership or AD Computer/User Group membership, but sometimes, issues related to the GP assignment can be noticed due to non-synced data between the Azure AD (Microsoft Graph)/domain policy update issues and the HEIMDAL Dashboard.
1. HEIMDAL Dashboard automatic group policy assignment based on Azure AD Groups
2. HEIMDAL Dashboard automatic group policy assignment based on AD Computer/User Groups
HEIMDAL Dashboard automatic group policy assignment based on Azure AD Groups
BEHAVIOR: I have linked an Azure AD Group to a HEIMDAL Dashboard Group Policy, but the Group Policy is not applying to the computers/users that should be applying to.
SOLUTION: this issue can be troubleshot by checking the flow below.
1. Make sure SAML 2.0 is enabled (so that the Azure AD Tenant ID is linked to the HEIMDAL Dashboard (under Guide -> Customer settings).
2. Try to resync the groups and users by repeating the sync operations from the beginning: press the Grant consent link and enter Microsoft 365 credentials (if prompted for), press the Sync Groups button, and the Sync Users button
3. Once synced, make sure you select the Azure AD Groups that should be available for linking with HEIMDAL Dashboard Group Policies.
4. Check the Azure AD Group membership to see if the object (computer/user) that should apply the linked GP is a member of the Azure AD Group in question.
If none of the steps above fix the issue, please reach out to the HEIMDAL Security Support Team.
HEIMDAL Dashboard automatic group policy assignment based on AD Computer/User Groups
BEHAVIOR: I have linked an AD Computer/User Group to a HEIMDAL Dashboard Group Policy, but the Group Policy is not automatically applying to the computers/users that should be applying to.
SOLUTION: this issue can be troubleshot by checking the flow below.
1. Make sure that the endpoint that should automatically apply the desired Group Policy is set on Automatic in Active Clients (Selected GP should be Automatic):
2. Make sure the endpoint is a member of the desired AD Global Security Group (in this case endpoint SUPPORT11 is member of the AD_Computers Global Security Group):
3. On the endpoint, open Command Prompt (as an Administrator) and run the following command line: gpresult /r. Check the result and make sure the AD Security Group is present in the Security Groups list (in our case, the endpoint is a member of the AD_Computers security group.
4. Checking the HEIMDAL Dashboard Group Policy for the configured AD Computer Group, it appears that the set AD Computer Group is missing a letter: AD_Computer instead of AD_Computers.
After correcting the value entered in the AD Computer Group field, press the Sync button in the HEIMDAL Agent. The endpoint should now be applying the correct Group Policy (in our case the Testing AD Computer Group). The same troubleshooting steps apply to AD User Groups.
If none of the steps above fix the issue, please reach out to the HEIMDAL Security Support Team.