FortiGate collects information about logged-in users and their group memberships from Collector Agents. User group information is fetched from Windows LDAP. If the group memberships are incorrect in Windows LDAP, they will also be incorrect in the Collector Agent and FortiGate.

As a result of this issue, FortiGate policies using FSSO groups may not be matched in the expected order. In such cases, it is necessary to check the actual user group memberships directly in LDAP.

The following Windows CLI commands help with troubleshooting actual user group memberships.

To find all group memberships for a user, use the following command:

dsget user <DistinguishedName> -memberof -expand 

User DistinguishedName can be found with the following PowerShell command:

Get-ADUser jdoe | select-object DistinguishedName

Here, jdoe is the user SamAccountName.

The complete command looks like this: 

dsget user "CN=John Doe,OU=of,DC=fortiad,DC=net" -memberof -expand

When user group membership is too large, the output can be redirected to a text file by using the following command:

dsget user "CN=John Doe,OU=of,DC=fortiad,DC=net" -memberof -expand > jdoe.txt