Hello,
If you have setup and imported the required groups on the Fortigate, then it would seem your basic Collector Agent setup is good.
Some things you could have a look at, and/or try, is :
- check on the Collector Agent Gui if the 2 check-boxes at the top are checked, ie Monitoring user logon events, and Support NTLM authentication.
- Are the browsers used by the 3-4 users seen from the domain configured differently form others, mostly in Tools>Internet options>Advanced>Security : Use Windows integrated authentication ?
I must say we still are not exactly sure how our setup works, but it does, with User authentication policies, User groups and Webfilter Profiles, etc.
We have a collector Agent monitoring say 20 DCs with DCAgents, but we are at the point where we are not sure what does what exactly, FSSO, NTLM, etc.
And I don' t want to get into the détails of that at the moment, let' s just say on our production Fortigate users show as NTLM authenticated, Under User & Device>Monitor, while on the Test Fortigate they show as FSSO .
Production FSSO Collector Agent uses DC Agents, and Test FSSO collector Agent uses Polling.
Anyway, I hope any of this helps in some way :)