Authentication Service, Mac & PC Management Service
The Zone Provisioning Agent may sometimes give unexpected results, such as users/groups not being added to the Zone.
What can be done to troubleshoot such issues?
The ZPA monitored container is set to the entire domain by default. However, if a specific container is defined for Zone Provisioning Agent instead; make sure it is set to the container ABOVE the Zone to be auto-provisioning and nothing else (i.e. It should not be an AD group). See the screenshot below for the steps on how to do so:
If nothing appears in "Groups" even after enabling auto-provisioning for group profiles, make sure the source group is set to the AD group that contains the list for group profiles.
E.g. AD group "CheeseBurger" is a member of AD group "Burgers". To have "CheeseBurger" in the group list of the auto-provisioned Zone, put "Burgers" as the source group as seen from the screenshot below:
If an Active Directory group for "Primary group" is defined under "Enable auto-provisioning for user profiles", make sure that the group is included in the "Groups" list for that Zone (Take a look at the screenshot below for more information).
If the group does not appear in the list, add the target group manually by right-clicking "Groups" after disabling auto-provisioning on that Zone. Re-enable auto-provisioning after adding the group.
If you cannot add a user and the console keeps telling you that a user name with that UNIX name already exists, make sure there are no orphaned UNIX objects in the zone: