Description
This article describes how to troubleshoot issues related to user AD groupings in scenarios such as the following:
- Endpoint is not matching user-based endpoint policy.
- Endpoint is not matching user-based deployment policy.
- Endpoint is not getting 'User in AD Group', or 'Logged in Domain' ZTNA tag.
Scope
FortiClient EMS 7.0.x to 7.2.x.
Solution
In the EMS endpoint pane, hover the mouse cursor over the affected endpoint's end user name.
If FortiClient EMS can read the user's account info, the above issue should not occur:
If results similar to the following are received, however...
... This means EMS somehow failed to read the end user's account info, and may not recognize the endpoint as a domain-joined device.
Consequently, user-based features will not work as expected.
To troubleshoot this, collect FCT_Diagnostic_Result in debug level logging. See this article for more information, referring specifically to the 'FortiClient Windows' section.
In the affected endpoints, run the following CLI command:
gpresult /z >"%USERPROFILE%\Desktop\gpresult.txt"
dsregcmd /status >"%USERPROFILE%\Desktop\dsregcmd.txt"
Open a FortiCare TAC ticket and attach the following items for TAC to analyze:
- FCT_Diagnostic_Result.
- gpresult.txt in the desktop.
- dsregcmd.txt in the desktop.
- A screenshot of the issue in the EMS endpoint pane.
- Copy and paste the affected machine's FortiClient serial number and FCTUID. (In this example, as highlighted in the second screenshot: FCT8003053567452, E4596AD8E02A4C97B02CB5CBF6A33B60).
Fortinet TAC will analyze and find out the root cause.
